jQuery UI v1.12 included multiple cross-site scripting vulnerabilities.
It has not been demonstrated that CiviCRM specifically is exploitable. However, it is possible that third-party extensions could use jQuery UI in a vulnerable fashion.
CiviCRM v5.45.3 and earlier included the vulnerable jQuery UI v1.12.
CiviCRM versions 5.47.0, 5.46.0, and 5.45.4 ESR
Note: jQuery UI released two updates - 1.13.0 (to address security issues) and 1.13.1 (to address regressions), so 1.13.1 is preferred. As far as we currently know, both versions are equally compatible with CiviCRM 5.45 - 5.47, and both have been used in various revisions between 5.45-5.47.
(Edited with corrections and clarifications 24 March 2022.)
Any ONE of the following:
- Upgrade to CiviCRM v5.47.0+, v5.46.0+, or v5.45.4+ ESR
- Manually upgrade jQuery UI to v1.13.1
Seamus Lee and Tim Otten for adapting and validating on CiviCRM
