Description
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.
CVSS Metrics
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Attack Vector
- network
- Complexity
- low
- Privileges
- none
- User Action
- required
- Scope
- unchanged
- Confidentiality
- none
- Integrity
- high
- Availability
- none
- Weaknesses
- CWE-79CWE-79
Metadata
- Primary Vendor
- JQUERYUI
- Published
- 10/26/2021
- Last Modified
- 11/4/2025
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
jqueryui : jquery_uifedoraproject : fedorafedoraproject : fedorafedoraproject : fedorafedoraproject : fedoranetapp : h300s_firmwarenetapp : h500s_firmwarenetapp : h700s_firmwarenetapp : h300e_firmwarenetapp : h500e_firmwarenetapp : h700e_firmwarenetapp : h410s_firmwarenetapp : h410c_firmwaredrupal : drupaldrupal : drupaldrupal : drupaltenable : tenable.scoracle : agile_plmoracle : application_expressoracle : banking_platformoracle : banking_platformoracle : big_data_spatial_and_graphoracle : big_data_spatial_and_graphoracle : communications_interactive_session_recorderoracle : communications_operations_monitororacle : communications_operations_monitororacle : communications_operations_monitororacle : hospitality_inventory_managementoracle : hospitality_materials_controloracle : hospitality_suite8oracle : hospitality_suite8oracle : jd_edwards_enterpriseone_toolsoracle : peoplesoft_enterprise_peopletoolsoracle : peoplesoft_enterprise_peopletoolsoracle : policy_automationoracle : primavera_unifieroracle : primavera_unifieroracle : primavera_unifieroracle : primavera_unifieroracle : primavera_unifieroracle : rest_data_servicesoracle : rest_data_servicesoracle : weblogic_serveroracle : weblogic_serveroracle : weblogic_server
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.