Connect with us

Hi, what are you looking for?



Resurrected jQuery UI Library Haunts Websites, Enterprise Products

Drupal developers this week informed users about several vulnerabilities discovered in a third-party library that was recently resurrected after it had apparently been discontinued.

Drupal developers this week informed users about several vulnerabilities discovered in a third-party library that was recently resurrected after it had apparently been discontinued.

The library in question is jQuery UI, which provides a set of user interface interactions, effects, widgets, and themes built on top of the popular jQuery JavaScript library.

jQuery is reportedly used by nearly three quarters of the 10 million most popular websites, and at its peak jQuery UI was also used by some of the world’s largest companies.

A new version of jQuery UI was released in October 2021, but the project was previously believed to have reached end of life as this had been the first new release in five years. The latest release fixes three cross-site scripting (XSS) vulnerabilities that could be exploited for code execution.

The flaws, classified as medium severity, are tracked as CVE-2021-41182, CVE-2021-41183 and CVE-2021-41184, and they have been patched with the release of jQuery UI 1.13.

The jQuery UI library is still being killed off as part of modernization efforts. jQuery maintainers noted that this is expected to be the final release, but promised to still provide patches for critical security, interoperability or regression bugs.

jQuery UI was added to the Drupal core in 2009, but, after realizing that the library was no longer maintained, Drupal developers announced that it would be deprecated.

Advertisement. Scroll to continue reading.

However, on Wednesday, Drupal warned that the recently patched jQuery UI vulnerabilities could still impact some Drupal 7 and/or Drupal 9 websites. Exploitation is possible via contributed Drupal modules or custom code.

The latest Drupal updates address these and a couple of older XSS vulnerabilities affecting jQuery UI.

Websites using the Backdrop CMS, which was forked from Drupal in 2013, are also affected by the vulnerabilities. Backdrop developers informed users on Wednesday that the latest version of the CMS includes the latest jQuery UI release.

IBM also informed customers about these vulnerabilities, in December. The tech giant, which assigned a high severity rating to the flaws, said the jQuery UI library is a component of its Tivoli Netcool/Impact enterprise and network management software.

Data management solutions provider NetApp has also released an advisory to tell customers about the vulnerabilities, which it said could lead to disclosure of sensitive information or modification of data. NetApp said multiple products incorporate jQuery UI.

Related: Symfony, jQuery Vulnerabilities Patched in Drupal

Related: XSS, Open Redirect Vulnerabilities Patched in Drupal

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.