jQuery UI Datepicker Vulnerability in altField Option Allowing Cross-Site Scripting

A cross-site scripting vulnerability has been identified in the Datepicker widget of jQuery UI, versions prior to 1.13.0. This issue arises from the altField option, which can execute untrusted code if the value is sourced from untrusted inputs. The vulnerability is present in various applications and products that bundle jQuery UI, including Drupal 7, OTRS 6, and several NetApp products. The issue has been acknowledged in the jQuery UI blog and is part of a larger set of vulnerabilities addressed in the 1.13.0 release.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, initialize the Datepicker widget with a value for the altField option that includes untrusted code, such as an image tag with an onerror event. This can be done by using a jQuery selector to target an input element and setting the altField option to a string that includes the malicious payload.

Remediation

Users can upgrade to jQuery UI 1.13.0 or later, where this vulnerability is fixed. For applications like Drupal 7, the update to version 7.86 includes this fix.