Vulnerability CVE-2021-41182: Information
Description
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.
Severity: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
moodle | p10 | 3.11.17-alt1 | 4.3.0-alt1 | ALT-PU-2023-6282-2 | 331471 | Fixed |
moodle | p10_e2k | 3.11.17-alt1 | 4.3.0-alt1 | ALT-PU-2023-6989-1 | - | Fixed |
moodle | c10f1 | 3.11.17-alt1 | 3.11.17-alt1 | ALT-PU-2023-6850-2 | 333334 | Fixed |