CVE-2021-41183

MEDIUM6.5EPSS 3.1%

XSS in `*Text` options of the Datepicker widget in jquery-ui

Published: 10/26/2021Modified: 3/13/2026

Also known as:GHSA-j7qv-pgf6-hvh4BIT-drupal-2021-41183

Description

### Impact Accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: ```js $( "#datepicker" ).datepicker( { showButtonPanel: true, showOn: "both", closeText: "<script>doEvilThing( 'closeText XSS' )</script>", currentText: "<script>doEvilThing( 'currentText XSS' )</script>", prevText: "<script>doEvilThing( 'prevText XSS' )</script>", nextText: "<script>doEvilThing( 'nextText XSS' )</script>", buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>", appendText: "<script>doEvilThing( 'appendText XSS' )</script>", } ); ``` will call `doEvilThing` with 6 different parameters coming from all `*Text` options. ### Patches The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. ### Workarounds A workaround is to not accept the value of the `*Text` options from untrusted sources. ### For more information If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery UI repo](https://github.com/jquery/jquery-ui/issues). If you don't find an answer, open a new issue.

Affected packages (7)

Bitnami/drupal>= 7.0.0, < 7.86.0, >= 9.2.0, < 9.2.11, >= 9.3.0, < 9.3.3
Debian/jqueryuifrom 0, < 1.12.1+dfsg-8+deb11u1
Debian/otrs2from 0
Maven/org.webjars.npm:jquery-uifrom 0, < 1.13.0
npm/jquery-uifrom 0, < 1.13.0
NuGet/jQuery.UI.Combinedfrom 0, < 1.13.0
RubyGems/jquery-ui-railsfrom 0, < 7.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Description

Affected packages (7)

CVSS scores

References (33)