Source: jqueryui X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for jqueryui. CVE-2022-31160[0]: | jQuery UI is a curated set of user interface interactions, effects, | widgets, and themes built on top of jQuery. Versions prior to 1.13.2 | are potentially vulnerable to cross-site scripting. Initializing a | checkboxradio widget on an input enclosed within a label makes that | parent label contents considered as the input label. Calling | `.checkboxradio( "refresh" )` on such a widget and the initial HTML | contained encoded HTML entities will make them erroneously get | decoded. This can lead to potentially executing JavaScript code. The | bug has been patched in jQuery UI 1.13.2. To remediate the issue, | someone who can change the initial HTML can wrap all the non-input | contents of the `label` in a `span`. https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9 https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-31160 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31160 Please adjust the affected versions in the BTS as needed.