CIVI-SA-2022-04: jQuery UI v1.13

2022-03-16 12:00
Written by
dev-team - member of the CiviCRM community - view blog guidelines

jQuery UI v1.12 included multiple cross-site scripting vulnerabilities.

It has not been demonstrated that CiviCRM specifically is exploitable. However, it is possible that third-party extensions could use jQuery UI in a vulnerable fashion.

Security Risk
Moderately Critical
Cross Site Scripting
Affected Versions

CiviCRM v5.45.3 and earlier included the vulnerable jQuery UI v1.12.

Fixed Versions

CiviCRM versions 5.47.0, 5.46.0, and 5.45.4 ESR

Note: jQuery UI released two updates - 1.13.0 (to address security issues) and 1.13.1 (to address regressions), so 1.13.1 is preferred. As far as we currently know, both versions are equally compatible with CiviCRM 5.45 - 5.47, and both have been used in various revisions between 5.45-5.47.

(Edited with corrections and clarifications 24 March 2022.)

Publication Date

Any ONE of the following:

  • Upgrade to CiviCRM v5.47.0+, v5.46.0+, or v5.45.4+ ESR
  • Manually upgrade jQuery UI to v1.13.1

Seamus Lee and Tim Otten for adapting and validating on CiviCRM

CVE-2021-41182, CVE-2021-41183, CVE-2021-41184