Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Resurrected jQuery UI Library Haunts Websites, Enterprise Products

Drupal developers this week informed users about several vulnerabilities discovered in a third-party library that was recently resurrected after it had apparently been discontinued.

Drupal developers this week informed users about several vulnerabilities discovered in a third-party library that was recently resurrected after it had apparently been discontinued.

The library in question is jQuery UI, which provides a set of user interface interactions, effects, widgets, and themes built on top of the popular jQuery JavaScript library.

jQuery is reportedly used by nearly three quarters of the 10 million most popular websites, and at its peak jQuery UI was also used by some of the world’s largest companies.

A new version of jQuery UI was released in October 2021, but the project was previously believed to have reached end of life as this had been the first new release in five years. The latest release fixes three cross-site scripting (XSS) vulnerabilities that could be exploited for code execution.

The flaws, classified as medium severity, are tracked as CVE-2021-41182, CVE-2021-41183 and CVE-2021-41184, and they have been patched with the release of jQuery UI 1.13.

The jQuery UI library is still being killed off as part of modernization efforts. jQuery maintainers noted that this is expected to be the final release, but promised to still provide patches for critical security, interoperability or regression bugs.

jQuery UI was added to the Drupal core in 2009, but, after realizing that the library was no longer maintained, Drupal developers announced that it would be deprecated.

However, on Wednesday, Drupal warned that the recently patched jQuery UI vulnerabilities could still impact some Drupal 7 and/or Drupal 9 websites. Exploitation is possible via contributed Drupal modules or custom code.

The latest Drupal updates address these and a couple of older XSS vulnerabilities affecting jQuery UI.

Websites using the Backdrop CMS, which was forked from Drupal in 2013, are also affected by the vulnerabilities. Backdrop developers informed users on Wednesday that the latest version of the CMS includes the latest jQuery UI release.

IBM also informed customers about these vulnerabilities, in December. The tech giant, which assigned a high severity rating to the flaws, said the jQuery UI library is a component of its Tivoli Netcool/Impact enterprise and network management software.

Data management solutions provider NetApp has also released an advisory to tell customers about the vulnerabilities, which it said could lead to disclosure of sensitive information or modification of data. NetApp said multiple products incorporate jQuery UI.

Related: Symfony, jQuery Vulnerabilities Patched in Drupal

Related: XSS, Open Redirect Vulnerabilities Patched in Drupal

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.