jQuery UI Datepicker Vulnerability in jQuery UI Versions Prior to 1.13.0 Allows Cross-Site Scripting

A cross-site scripting (XSS) vulnerability has been identified in the jQuery UI Datepicker widget, affecting jQuery UI versions prior to 1.13.0. The vulnerability arises from accepting values for various '*Text' options from untrusted sources, which could execute malicious code. This issue has been addressed in jQuery UI 1.13.0, where such values are now treated as plain text rather than HTML. The vulnerability is present in several applications and frameworks that bundle jQuery UI, including Drupal 7, OTRS 6, and NetApp products.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, initialize the Datepicker widget with untrusted content injected into the '*Text' options, such as 'closeText', 'currentText', 'prevText', 'nextText', 'buttonText', and 'appendText'. The injected scripts will execute when the Datepicker is interacted with.

Remediation

Users should upgrade to jQuery UI 1.13.0 or later. For applications like Drupal 7, OTRS 6, and those using the jQuery Update module, specific update instructions are available.