CVE-2021-41184

MEDIUM6.5EPSS 31.1%

XSS in the `of` option of the `.position()` util in jquery-ui

Published: 10/26/2021Modified: 3/13/2026

Also known as:GHSA-gpqq-952q-5327BIT-drupal-2021-41184

Description

### Impact Accepting the value of the `of` option of the [`.position()`](https://api.jqueryui.com/position/) util from untrusted sources may execute untrusted code. For example, invoking the following code: ```js $( "#element" ).position( { my: "left top", at: "right bottom", of: "<img onerror='doEvilThing()' src='/404' />", collision: "none" } ); ``` will call the `doEvilThing()` function. ### Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. ### Workarounds A workaround is to not accept the value of the `of` option from untrusted sources. ### For more information If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery UI repo](https://github.com/jquery/jquery-ui/issues). If you don't find an answer, open a new issue.

Affected packages (7)

Bitnami/drupal>= 7.0.0, < 7.86.0, >= 9.2.0, < 9.2.11, >= 9.3.0, < 9.3.3
Debian/jqueryuifrom 0, < 1.12.1+dfsg-8+deb11u1
Debian/otrs2from 0
Maven/org.webjars.npm:jquery-uifrom 0, < 1.13.0
npm/jquery-uifrom 0, < 1.13.0
NuGet/jQuery.UI.Combinedfrom 0, < 1.13.0
RubyGems/jquery-ui-railsfrom 0, < 7.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Description

Affected packages (7)

CVSS scores

References (30)