Vulnerability Detected: CVE-2024-30875 (Cross-site Scripting - XSS)

[goiaalexandru]

Package: jquery-ui@1.13.1 or above. Vulnerability Title: [CVE-2024-30875] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability Description: A Cross-Site Scripting (XSS) vulnerability exists in jquery-ui@1.13.1, allowing a remote attacker to execute arbitrary code and potentially obtain sensitive information. This vulnerability is triggered via a crafted payload targeting the window.addEventListener component.

CVSS Score: 5.1 (Medium) CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVE: CVE-2024-30875

Extra: https://cvefeed.io/vuln/detail/CVE-2024-30875

Steps to Reproduce:

Use jquery-ui@1.13.1 or above in a web application. Send a crafted payload to exploit the window.addEventListener component. The payload is improperly neutralized, leading to XSS vulnerability. Please consider patching this vulnerability in the next release.

Thank you!

[jasonparallel]

Was there an issue that was fixed in 1.13.2 but not included in the release notes (https://jqueryui.com/changelog/1.13.2/)?

[d-ellis]

I don't think there's anything to fix. The CVE proof of concept is so vague it can apply to any app, even if it doesn't use any dependencies. It boils down to "If you take user input and directly insert it into your page, bad things can happen" which is not a jquery-ui problem