jQuery UI Checkboxradio Widget Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability has been identified in the jQuery UI Checkboxradio widget, affecting versions prior to 1.13.2. When a checkboxradio widget is initialized on an input within a label, the label's contents are treated as the input label. If the initial HTML includes encoded entities, calling '.checkboxradio("refresh")' will decode them, potentially leading to the execution of JavaScript. This vulnerability is particularly concerning if the label content is based on user input, as it could allow for the injection and execution of malicious scripts.

Impact

Exploitation of this vulnerability could result in cross-site scripting, allowing for the injection and execution of malicious JavaScript in the victim's browser.

Reproduction

To reproduce this vulnerability, initialize a Checkboxradio widget on an input element that is enclosed within a label. Ensure that the label contains encoded HTML entities, such as an image tag. After the widget is initialized, call the 'checkboxradio("refresh")' method. This will trigger the vulnerability by decoding the HTML entities and executing any embedded JavaScript, such as an alert.

Remediation

Users can upgrade to jQuery UI version 1.13.2 or later, or if using the jQuery UI Checkboxradio module for Drupal 9, upgrade to version 8.x-1.4.