search

mcaj-git / nextcloud-dev

GNU Affero General Public License v3.0
1 stars 1 forks source link

Update dependency jquery-ui to v1.13.2 [SECURITY] - autoclosed #367

Closed renovate[bot] closed 1 year ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
jquery-ui (source) 1.12.1 -> 1.13.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-41182

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
    altField: "<img onerror='doEvilThing()' src='/404' />",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

CVE-2021-41184

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$( "#element" ).position( {
    my: "left top",
    at: "right bottom",
    of: "<img onerror='doEvilThing()' src='/404' />",
    collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

CVE-2021-41183

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
    showButtonPanel: true,
    showOn: "both",
    closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
    currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
    prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
    nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
    buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
    appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

CVE-2022-31160

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:

<label>
    <input id="test-input">
    &lt;img src=x onerror="alert(1)"&gt;
</label>

and calling:

$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );

will turn the initial HTML into:

<label>
    <!-- some jQuery UI elements -->
    <input id="test-input">
    <img src=x onerror="alert(1)">
</label>

and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:

<label>
    <input id="test-input">
    <span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>

References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Release Notes

jquery/jquery-ui ### [`v1.13.2`](https://togithub.com/jquery/jquery-ui/releases/tag/1.13.2): jQuery UI 1.13.2 Released! [Compare Source](https://togithub.com/jquery/jquery-ui/compare/1.13.1...1.13.2) https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/ ### [`v1.13.1`](https://togithub.com/jquery/jquery-ui/releases/tag/1.13.1): jQuery UI 1.13.1 Released! [Compare Source](https://togithub.com/jquery/jquery-ui/compare/1.13.0...1.13.1) https://blog.jqueryui.com/2022/01/jquery-ui-1-13-1-released/ ### [`v1.13.0`](https://togithub.com/jquery/jquery-ui/releases/tag/1.13.0): jQuery UI 1.13.0 released! [Compare Source](https://togithub.com/jquery/jquery-ui/compare/1.12.1...1.13.0) https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/

Configuration

πŸ“… Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

πŸ”• Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.