Moderately Critical XSS Vulnerability in jQuery UI Datepicker
ADrupal security advisory was announced against a moderately critical XSS vulnerability (SA-CONTRIB-2022-004) in the vendor library, jQuery UI, on January 19th, 2022. The jQuery UI Datepicker module is used to provide the jQuery UI Datepicker library functionalities which are not included in the Drupal 9 core.
Though jQuery UI was previously slotted for End of Life, the jQuery library announced its continued development in late 2021 with the release of jQuery UI 1.13.0 version.
The following security issues were disclosed as part of this 1.13.0 update concerning the sites using the jQuery UI Datepicker module:
• CVE-2021-41182: XSS in the altField option of the Datepicker widget
• CVE-2021-41183: XSS in *Text options of the Datepicker widget
Solution
If you use the jQuery UI Datepicker module for Drupal 9.x, the recommendation is to upgrade to jQuery UI Datepicker 8.x-1.2
Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please let us know in the comments below and we will try to address the issue as best we can.
Comments
You may also like
Call for Support
