{"id":"CVE-2021-41183","details":"jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.","aliases":["BIT-drupal-2021-41183","GHSA-j7qv-pgf6-hvh4"],"modified":"2026-05-18T05:53:08.739024669Z","published":"2021-10-26T15:15:10.387Z","related":["SUSE-SU-2022:1729-1"],"database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"debian:debian_linux","extracted_events":[{"last_affected":"9.0"}]},{"cpes":["cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"fedoraproject:fedora","extracted_events":[{"last_affected":"33"},{"last_affected":"34"},{"last_affected":"35"},{"last_affected":"36"}]},{"cpes":["cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"oracle:agile_plm","extracted_events":[{"last_affected":"9.3.6"}]},{"cpes":["cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"oracle:application_express","extracted_events":[{"fixed":"22.1.1"}]},{"cpes":["cpe:2.3:a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"oracle:banking_platform","extracted_events":[{"last_affected":"2.9.0"},{"last_affected":"2.12.0"}]},{"cpes":["cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:*","cpe:2.3:a:oracle:big_data_spatial_and_graph:23.1:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"oracle:big_data_spatial_and_graph","extracted_events":[{"fixed":"23.1"},{"last_affected":"23.1"}]},{"cpes":["cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"oracle:communications_interactive_session_recorder","extracted_events":[{"last_affected":"6.4"}]},{"cpes":["cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"oracle:communications_operations_monitor","extracted_events":[{"last_affected":"4.3"},{"last_affected":"4.4"},{"last_affected":"5.0"}]},{"cpes":["cpe:2.3:a:oracle:hospitality_inventory_management:9.1.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"oracle:hospitality_inventory_management","extracted_events":[{"last_affected":"9.1.0"}]},{"cpes":["cpe:2.3:a:oracle:hospitality_suite8:*:*:*:*:*:*:*:*","cpe:2.3:a:oracle:hospitality_suite8:8.10.2:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"oracle:hospitality_suite8","extracted_events":[{"introduced":"8.11.0"},{"last_affected":"11.14.0"},{"last_affected":"8.10.2"}]},{"cpes":["cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"oracle:jd_edwards_enterpriseone_tools","extracted_events":[{"last_affected":"9.2.6.3"}]},{"cpes":["cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"oracle:mysql_enterprise_monitor","extracted_events":[{"last_affected":"8.0.29"}]},{"cpes":["cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*","cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"oracle:peoplesoft_enterprise_peopletools","extracted_events":[{"last_affected":"8.58"},{"last_affected":"8.59"}]},{"cpes":["cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"oracle:policy_automation","extracted_events":[{"introduced":"12.2.0"},{"last_affected":"12.2.5"}]},{"cpes":["cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*","cpe:2.3:a:oracle:primavera_gateway:18.8.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:primavera_gateway:19.12.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:primavera_gateway:20.12.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:primavera_gateway:21.12.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"oracle:primavera_gateway","extracted_events":[{"introduced":"17.7"},{"last_affected":"17.12"},{"last_affected":"18.8.0"},{"last_affected":"19.12.0"},{"last_affected":"20.12.0"},{"last_affected":"21.12.0"}]},{"cpes":["cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:*","cpe:2.3:a:oracle:rest_data_services:22.1.1:*:*:*:-:*:*:*"],"source":"CPE_FIELD","vendor_product":"oracle:rest_data_services","extracted_events":[{"fixed":"22.1.1"},{"last_affected":"22.1.1"}]},{"cpes":["cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"oracle:weblogic_server","extracted_events":[{"last_affected":"12.2.1.3.0"},{"last_affected":"12.2.1.4.0"},{"last_affected":"14.1.1.0.0"}]},{"cpes":["cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"tenable:tenable.sc","extracted_events":[{"fixed":"5.21.0"}]}]},"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"},{"type":"ADVISORY","url":"https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20211118-0004/"},{"type":"ADVISORY","url":"https://www.drupal.org/sa-contrib-2022-004"},{"type":"ADVISORY","url":"https://www.drupal.org/sa-core-2022-001"},{"type":"ADVISORY","url":"https://www.drupal.org/sa-core-2022-002"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"REPORT","url":"https://bugs.jqueryui.com/ticket/15284"},{"type":"FIX","url":"https://github.com/jquery/jquery-ui/pull/1953"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.tenable.com/security/tns-2022-09"},{"type":"EVIDENCE","url":"https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/drupal/drupal","events":[{"introduced":"497914920385b7016ac9c9367e0198530787adf2"},{"fixed":"c991d5749144c851b71aa7be721715d7e346526f"},{"introduced":"943ecef3c0bc9822338252a7df6419aeb9253c9d"},{"fixed":"0733164abe68539bda283baef6105c828484bac5"},{"introduced":"698ee686c23de8c97d7e0601cf745b220d54f4e1"},{"fixed":"b6c79dbcee0f7969a14e0b1b1593eaf454718ff6"}],"database_specific":{"cpe":"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"7.0"},{"fixed":"7.86"},{"introduced":"9.2.0"},{"fixed":"9.2.11"},{"introduced":"9.3.0"},{"fixed":"9.3.3"}]}}],"versions":["7.85","9.2.10","9.3.2","7.84","9.3.0","7.83","9.2.8","9.2.7","9.2.5","9.2.3","7.81","9.2.1","9.2.0","7.79","7.77","7.76","7.71","7.68","7.64","7.61","7.56","7.55","7.54","7.51","7.50","7.43","7.42","7.40","7.37","7.36","7.33","7.30","7.28","7.25","7.23","7.22","7.17","7.15","7.14","7.12","7.10","7.9","7.8","7.7","7.6","7.4","7.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41183.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/jquery/jquery-ui","events":[{"introduced":"0"},{"fixed":"6d072c596a81d99a77fc36c14caf3eb3a803689e"}],"database_specific":{"cpe":"cpe:2.3:a:jqueryui:jquery_ui:*:*:*:*:*:jquery:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"1.13.0"}]}}],"versions":["1.9.0-beta.1","1.9.0m8","1.9m6","1.8.6","1.8.5","1.8.4","1.8.3","1.8.2","1.8.1","1.8","1.8rc3","1.8rc2","1.8rc1","1.8b1","1.8a2","1.8a1","1.7","1.6","1.6rc6","1.6rc5","1.6rc3","1.6rc2","1.5.2","1.5.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41183.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}