jQuery UI Cross-Site Scripting Vulnerability

A Cross-Site Scripting (XSS) vulnerability exists in jQuery UI version 1.13.1. This issue allows remote attackers to execute arbitrary code and access sensitive information by injecting a malicious payload into the window.addEventListener component. The vulnerability is categorized as Reflected Cross-Site Scripting, where the injected script is executed immediately when the payload is processed.

Impact

Exploitation of this vulnerability allows for Cross-Site Scripting, where an attacker can execute scripts in the context of the user's browser. This could lead to stealing cookies and session tokens, potentially allowing for account takeover.

Reproduction

To reproduce this vulnerability, inject a script tag containing JavaScript code into the window.addEventListener function. This can be done by crafting a URL that includes the malicious payload, such as a script injection example provided in the vulnerability details.

Remediation

Users should update to the latest version of jQuery UI where this vulnerability has been patched.