{"id":"UBUNTU-CVE-2021-41182","details":"jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.","modified":"2026-02-04T03:40:33.369259Z","published":"2021-10-26T15:15:00Z","related":["USN-6419-1"],"upstream":["CVE-2021-41182"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-41182"},{"type":"REPORT","url":"https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc"},{"type":"REPORT","url":"https://github.com/jquery/jquery-ui/commit/32850869d308d5e7c9bf3e3b4d483ea886d373ce"},{"type":"REPORT","url":"https://github.com/jquery/jquery-ui/pull/1954/commits/6809ce843e5ac4128108ea4c15cbc100653c2b63"},{"type":"REPORT","url":"https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-6419-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2021-41182"}],"affected":[{"package":{"name":"jqueryui","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/jqueryui@1.10.1+dfsg-1ubuntu0.14.04.1~esm1?arch=source&distro=trusty/esm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.10.1+dfsg-1ubuntu0.14.04.1~esm1"}]}],"versions":["1.10.1+dfsg-1"],"ecosystem_specific":{"binaries":[{"binary_name":"libjs-jquery-ui","binary_version":"1.10.1+dfsg-1ubuntu0.14.04.1~esm1"},{"binary_name":"libjs-jquery-ui-docs","binary_version":"1.10.1+dfsg-1ubuntu0.14.04.1~esm1"}],"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-41182.json"}},{"package":{"name":"jqueryui","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/jqueryui@1.10.1+dfsg-1ubuntu0.16.04.1~esm1?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.10.1+dfsg-1ubuntu0.16.04.1~esm1"}]}],"versions":["1.10.1+dfsg-1"],"ecosystem_specific":{"binaries":[{"binary_name":"libjs-jquery-ui","binary_version":"1.10.1+dfsg-1ubuntu0.16.04.1~esm1"},{"binary_name":"libjs-jquery-ui-docs","binary_version":"1.10.1+dfsg-1ubuntu0.16.04.1~esm1"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-41182.json"}},{"package":{"name":"jqueryui","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/jqueryui@1.12.1+dfsg-5ubuntu0.18.04.1~esm3?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.12.1+dfsg-5ubuntu0.18.04.1~esm3"}]}],"versions":["1.12.1+dfsg-5","1.12.1+dfsg-5ubuntu0.18.04.1~esm2"],"ecosystem_specific":{"binaries":[{"binary_name":"libjs-jquery-ui","binary_version":"1.12.1+dfsg-5ubuntu0.18.04.1~esm3"},{"binary_name":"libjs-jquery-ui-docs","binary_version":"1.12.1+dfsg-5ubuntu0.18.04.1~esm3"},{"binary_name":"node-jquery-ui","binary_version":"1.12.1+dfsg-5ubuntu0.18.04.1~esm3"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-41182.json"}},{"package":{"name":"jqueryui","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/jqueryui@1.12.1+dfsg-5ubuntu0.20.04.1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.12.1+dfsg-5ubuntu0.20.04.1"}]}],"versions":["1.12.1+dfsg-5"],"ecosystem_specific":{"binaries":[{"binary_name":"libjs-jquery-ui","binary_version":"1.12.1+dfsg-5ubuntu0.20.04.1"},{"binary_name":"libjs-jquery-ui-docs","binary_version":"1.12.1+dfsg-5ubuntu0.20.04.1"},{"binary_name":"node-jquery-ui","binary_version":"1.12.1+dfsg-5ubuntu0.20.04.1"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-41182.json"}},{"package":{"name":"jqueryui","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/jqueryui@1.12.1+dfsg-5ubuntu0.20.04.1?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.12.1+dfsg-5ubuntu0.20.04.1"}]}],"versions":["1.12.1+dfsg-5","1.12.1+dfsg-5ubuntu0.1~esm2","1.12.1+dfsg-5ubuntu0.20.04.1~esm3"],"ecosystem_specific":{"binaries":[{"binary_name":"libjs-jquery-ui","binary_version":"1.12.1+dfsg-5ubuntu0.20.04.1"},{"binary_name":"libjs-jquery-ui-docs","binary_version":"1.12.1+dfsg-5ubuntu0.20.04.1"},{"binary_name":"node-jquery-ui","binary_version":"1.12.1+dfsg-5ubuntu0.20.04.1"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-41182.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]}