CVE-2022-31160: jQuery UI contains potential XSS vulnerability when refreshing a checkboxradio with an HTML-like initial text label

Published Jul 18, 2022
·
Updated

Impact Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML: html <label> <input id="test-input"> &lt;img src=x onerror="alert(1)"&gt; </label> and calling: js $( "#test-input" ).checkboxradio(); $( "#test-input" ).checkboxradio( "refresh" ); will turn the initial HTML into: html <label> <!-- some jQuery UI elements --> <input id="test-input"> <img src=x onerror="alert(1)"> </label> and the alert will get executed.

Patches The bug has been patched in jQuery UI 1.13.2.

Workarounds To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span: html <label> <input id="test-input"> <span>&lt;img src=x onerror="alert(1)"&gt;</span> </label>

References https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Other sources

dnsjava is vulnerable to a denial of service, caused by an error when using the ValidatingResolver for DNSSEC validation. By using specially crafted DNSSEC-signed zones, an attacker could exploit this vulnerability to exhaust all available CPU resources.

IBM

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the label in a span.

Launchpad

Affected Software

37 affected componentsFixes available
debian/jqueryui
1.12.1+dfsg-8+deb11u21.13.2+dfsg-1
IBM Cognos Dashboards on Cloud Pak for Data<=5.0.0
IBM Cognos Dashboards on Cloud Pak for Data<=4.8.0
jqueryui Jquery Ui Jquery<1.13.2
NetApp H300s Firmware
NetApp H300s
NetApp H500s Firmware
NetApp H500s
NetApp H700s Firmware
NetApp H700s
NetApp H410s Firmware
NetApp H410s
NetApp H410c Firmware
NetApp H410c
NetApp OnCommand Insight
Drupal Jquery Ui Checkboxradio Drupal=8.x-1.0
Drupal Jquery Ui Checkboxradio Drupal=8.x-1.1
Drupal Jquery Ui Checkboxradio Drupal=8.x-1.2
Drupal Jquery Ui Checkboxradio Drupal=8.x-1.3
Fedoraproject Fedora=35
Fedoraproject Fedora=36
Fedoraproject Fedora=37
Debian Debian Linux=10.0
rubygems/jquery-ui-rails<8.0.0
8.0.0
nuget/jQuery.UI.Combined<1.13.2
1.13.2
maven/org.webjars.npm:jquery-ui<1.13.2
1.13.2
npm/jquery-ui<1.13.2
1.13.2
All of the following
NetApp H300s Firmware
NetApp H300s
All of the following
NetApp H500s Firmware
NetApp H500s
All of the following
NetApp H700s Firmware
NetApp H700s
All of the following
NetApp H410s Firmware
NetApp H410s
All of the following
NetApp H410c Firmware
NetApp H410c

Remediation

Patch Available

https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9

Event History

Jul 18, 2022
Advisory Published
via GitHub·05:07 PM
Data Sourced
via GitHub·05:07 PM
DescriptionSeverityWeaknessAffected Software
Jul 20, 2022
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·08:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Jan 12, 2024
Data Sourced
via Launchpad·12:08 AM
Description
Sep 16, 2024
Data Sourced
via Ubuntu·02:57 AM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the vulnerability ID of this issue?

The vulnerability ID of this issue is CVE-2022-31160.

2

What is the impact of this vulnerability?

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label, leading to the incorrect decoding of encoded HTML entities.

3

How can I trigger this vulnerability?

To trigger this vulnerability, you need to initialize a checkboxradio widget on an input enclosed within a label that contains encoded HTML entities and then call `.checkboxradio( "refresh" )` on the widget.

4

What is the severity rating of CVE-2022-31160?

CVE-2022-31160 has a severity rating of 6.1 (Medium).

5

How do I fix CVE-2022-31160?

To fix CVE-2022-31160, update your jQuery UI library to version 1.13.2 or higher.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203