CVE-2010-5312
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library. The Dialog widget is one of the most commonly used components, providing modal and non-modal dialog boxes for user interactions.
A medium-severity Cross-Site Scripting (XSS) vulnerability (CVE-2010-5312) has been identified in jQuery UI's Dialog widget. The dialog title rendering logic used .html() instead of .text() to display user-supplied content, allowing attackers to inject malicious scripts through crafted title strings. This could lead to arbitrary JavaScript execution in the context of the victim's browser session.
Per OWASP: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
Details
Module Info
- Product: jQuery UI
- Affected packages: jquery-ui
- Affected versions: >=1.7.0 <1.10.0
- GitHub repository: https://github.com/jquery/jquery-ui
- Published packages: https://www.npmjs.com/package/jquery-ui
- Package manager: npm
- Fixed in:
- OSS v1.10.0
- NES for jQuery UI v1.8.26
Vulnerability Info
This medium-severity vulnerability is found in jQuery UI versions greater than or equal to 1.7.0 and before 1.10.0. See the affected versions above for specific details.
The vulnerability affected the Dialog widget's title rendering:
- The _create() method used .html() to set the dialog title content directly from user-supplied options or element attributes.
- No HTML entity escaping was performed on title strings before rendering.
- Attackers could inject <script> tags, <img> tags with onerror handlers, or other malicious HTML through the title option.
This vulnerability could be exploited by:
- Providing crafted title content containing script tags: $('<div></div>').dialog({ title: '<script>alert("XSS")</script>' })
- Injecting event handlers through HTML attributes: title: '<img src=x onerror=alert("XSS")>'
- Using malicious title attributes on dialog source elements: <div title="<b onmouseover=alert('XSS')>Click</b>"></div>
- Passing untrusted user input directly to the dialog title option without sanitization
Mitigation
jQuery UI version 1.8.x is End-of-Life and will not receive any updates to address this issue from the jQuery team.
Users of the affected Dialog widget should apply one of the following mitigations:
- Upgrade affected applications to jQuery UI 1.10.0 or later, which includes the fix.
- Sanitize all user input before passing to the dialog title option.
- Leverage a commercial support partner like HeroDevs for post-EOL security support and backported fixes.
