Security Experts:

Resurrected jQuery UI Library Haunts Websites, Enterprise Products

Drupal developers this week informed users about several vulnerabilities discovered in a third-party library that was recently resurrected after it had apparently been discontinued.

The library in question is jQuery UI, which provides a set of user interface interactions, effects, widgets, and themes built on top of the popular jQuery JavaScript library.

jQuery is reportedly used by nearly three quarters of the 10 million most popular websites, and at its peak jQuery UI was also used by some of the world’s largest companies.

A new version of jQuery UI was released in October 2021, but the project was previously believed to have reached end of life as this had been the first new release in five years. The latest release fixes three cross-site scripting (XSS) vulnerabilities that could be exploited for code execution.

The flaws, classified as medium severity, are tracked as CVE-2021-41182, CVE-2021-41183 and CVE-2021-41184, and they have been patched with the release of jQuery UI 1.13.

The jQuery UI library is still being killed off as part of modernization efforts. jQuery maintainers noted that this is expected to be the final release, but promised to still provide patches for critical security, interoperability or regression bugs.

jQuery UI was added to the Drupal core in 2009, but, after realizing that the library was no longer maintained, Drupal developers announced that it would be deprecated.

However, on Wednesday, Drupal warned that the recently patched jQuery UI vulnerabilities could still impact some Drupal 7 and/or Drupal 9 websites. Exploitation is possible via contributed Drupal modules or custom code.

The latest Drupal updates address these and a couple of older XSS vulnerabilities affecting jQuery UI.

Websites using the Backdrop CMS, which was forked from Drupal in 2013, are also affected by the vulnerabilities. Backdrop developers informed users on Wednesday that the latest version of the CMS includes the latest jQuery UI release.

IBM also informed customers about these vulnerabilities, in December. The tech giant, which assigned a high severity rating to the flaws, said the jQuery UI library is a component of its Tivoli Netcool/Impact enterprise and network management software.

Data management solutions provider NetApp has also released an advisory to tell customers about the vulnerabilities, which it said could lead to disclosure of sensitive information or modification of data. NetApp said multiple products incorporate jQuery UI.

Related: Symfony, jQuery Vulnerabilities Patched in Drupal

Related: XSS, Open Redirect Vulnerabilities Patched in Drupal

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.