REDHAT-BUG-2019148: Medium severity jquery ui vulnerability
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various Text options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various Text options are now always treated as pure text, not HTML. A workaround is to not accept the value of the Text options from untrusted sources.
Reference: https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4
Upstream patch: https://github.com/jquery/jquery-ui/pull/1953
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-2019148?
REDHAT-BUG-2019148 is classified as a high severity vulnerability due to potential code execution risks.
How do I fix REDHAT-BUG-2019148?
To fix REDHAT-BUG-2019148, upgrade to jQuery UI version 1.13.0 or later.
What are the consequences of not mitigating REDHAT-BUG-2019148?
Not mitigating REDHAT-BUG-2019148 could allow attackers to execute untrusted code through the Datepicker widget.
Which versions of jQuery UI are affected by REDHAT-BUG-2019148?
Versions of jQuery UI prior to 1.13.0 are affected by REDHAT-BUG-2019148.
What components are impacted by REDHAT-BUG-2019148?
The Datepicker widget in jQuery UI that accepts various *Text options from untrusted sources is impacted by REDHAT-BUG-2019148.