CIVI-SA-2022-04: jQuery UI v1.13

Gepubliceerd
2022-03-16 12:00
Written by

jQuery UI v1.12 included multiple cross-site scripting vulnerabilities.

It has not been demonstrated that CiviCRM specifically is exploitable. However, it is possible that third-party extensions could use jQuery UI in a vulnerable fashion.

Security Risk
Moderately Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM v5.45.3 and earlier included the vulnerable jQuery UI v1.12.

Fixed Versions

CiviCRM versions 5.47.0, 5.46.0, and 5.45.4 ESR

Note: jQuery UI released two updates - 1.13.0 (to address security issues) and 1.13.1 (to address regressions), so 1.13.1 is preferred. As far as we currently know, both versions are equally compatible with CiviCRM 5.45 - 5.47, and both have been used in various revisions between 5.45-5.47.

(Edited with corrections and clarifications 24 March 2022.)

Publication Date
Solutions

Any ONE of the following:

  • Upgrade to CiviCRM v5.47.0+, v5.46.0+, or v5.45.4+ ESR
  • Manually upgrade jQuery UI to v1.13.1
Credits

Seamus Lee and Tim Otten for adapting and validating on CiviCRM

CVE
CVE-2021-41182, CVE-2021-41183, CVE-2021-41184