jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004

Project: jQuery UI Datepicker
Date: 2022-January-19
Security risk: Moderately critical 14∕25 
Vulnerability: Cross Site Scripting

Description

jQuery UI is a third-party library used by Drupal. The jQuery UI Datepicker module provides the jQuery UI Datepicker library, which is not included in Drupal 9 core.

jQuery UI was previously thought to be end-of-life.

Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issues that may affect site using the jQuery UI Datepicker module:

• CVE-2021-41182: XSS in the altField option of the Datepicker widget
• CVE-2021-41183: XSS in *Text options of the Datepicker widget

Solution

Install the latest version:

If you use the jQuery UI Datepicker module for Drupal 9.x, upgrade to jQuery UI Datepicker 8.x-1.2