jQuery UI Cross-Site Scripting Vulnerability in the 'of' Option of the .position() Utility

A cross-site scripting (XSS) vulnerability has been identified in jQuery UI versions prior to 1.13.0. This issue arises in the 'of' option of the '.position()' utility, where untrusted input can be accepted and executed as code. The vulnerability is present in an embedded version of jQuery UI within OTRS 7.10.6-rev61 and 8.22, as well as in various NetApp products. The issue has been fixed in jQuery UI 1.13.0, and the relevant components have been updated in OTRS and Tenable.sc.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject and execute malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, use jQuery UI version 1.12.1 or earlier and call the '.position()' utility with the 'of' option set to a string that includes untrusted code, such as an image tag with an 'onerror' event. This will execute the specified JavaScript function when the image fails to load.

Remediation

Users can upgrade to jQuery UI 1.13.0 or later, where this vulnerability has been addressed. For OTRS users, the update to version 7.10.6-rev43 or 8.23 is recommended. NetApp products will also receive this update.