{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2021-41184","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","dateUpdated":"2025-11-04T16:09:17.971Z","dateReserved":"2021-09-15T00:00:00.000Z","datePublished":"2021-10-26T00:00:00.000Z"},"containers":{"cna":{"title":"XSS in the `of` option of the `.position()` util","providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2023-08-31T02:06:17.867Z"},"descriptions":[{"lang":"en","value":"jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources."}],"affected":[{"vendor":"jquery","product":"jquery-ui","versions":[{"version":"< 1.13.0","status":"affected"}]}],"references":[{"url":"https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/"},{"url":"https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327"},{"url":"https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280"},{"name":"FEDORA-2021-51c256bf87","tags":["vendor-advisory"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/"},{"name":"FEDORA-2021-ab38307fc3","tags":["vendor-advisory"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/"},{"name":"FEDORA-2021-013ab302be","tags":["vendor-advisory"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/"},{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"url":"https://security.netapp.com/advisory/ntap-20211118-0004/"},{"url":"https://www.drupal.org/sa-core-2022-001"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"url":"https://www.tenable.com/security/tns-2022-09"},{"name":"FEDORA-2022-9d655503ea","tags":["vendor-advisory"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/"},{"name":"FEDORA-2022-bf18450366","tags":["vendor-advisory"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/"},{"url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"}}],"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","cweId":"CWE-79"}]}],"source":{"advisory":"GHSA-gpqq-952q-5327","discovery":"UNKNOWN"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/","tags":["x_transferred"]},{"url":"https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327","tags":["x_transferred"]},{"url":"https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280","tags":["x_transferred"]},{"name":"FEDORA-2021-51c256bf87","tags":["vendor-advisory","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/"},{"name":"FEDORA-2021-ab38307fc3","tags":["vendor-advisory","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/"},{"name":"FEDORA-2021-013ab302be","tags":["vendor-advisory","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/"},{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html","tags":["x_transferred"]},{"url":"https://security.netapp.com/advisory/ntap-20211118-0004/","tags":["x_transferred"]},{"url":"https://www.drupal.org/sa-core-2022-001","tags":["x_transferred"]},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","tags":["x_transferred"]},{"url":"https://www.tenable.com/security/tns-2022-09","tags":["x_transferred"]},{"name":"FEDORA-2022-9d655503ea","tags":["vendor-advisory","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/"},{"name":"FEDORA-2022-bf18450366","tags":["vendor-advisory","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/"},{"url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html","tags":["x_transferred"]},{"url":"http://seclists.org/fulldisclosure/2024/Aug/37"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-04T16:09:17.971Z"}}]}}