Updated advisory posts against rubysec/ruby-advisory-db@23cb90e

postmodern · RubySec CI · commit 8d3d5efe44f4 · 2024-02-13T09:26:02.000Z
diff --git a/advisories/_posts/2022-07-15-CVE-2022-31160.md b/advisories/_posts/2022-07-15-CVE-2022-31160.md
@@ -0,0 +1,49 @@
+---
+layout: advisory
+title: 'CVE-2022-31160 (jquery-ui-rails): jQuery UI vulnerable to XSS when refreshing
+  a checkboxradio with an HTML-like initial text label'
+comments: false
+categories:
+- jquery-ui-rails
+advisory:
+  gem: jquery-ui-rails
+  cve: 2022-31160
+  ghsa: h6gj-6jjq-h8g9
+  url: https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
+  title: jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like
+    initial text label
+  date: 2022-07-15
+  description: "### Impact\nInitializing a checkboxradio widget on an input enclosed
+    within a label makes\nthat parent label contents considered as the input label.
+    If you call\n`.checkboxradio( \"refresh\" )` on such a widget and the initial
+    HTML contained\nencoded HTML entities, they will erroneously get decoded. This
+    can lead to\npotentially executing JavaScript code.\n\nFor example, starting with
+    the following initial secure HTML:\n\n```html\n<label>\n\t<input id=\"test-input\">\n\t&lt;img
+    src=x onerror=\"alert(1)\"&gt;\n</label>\n```\n\nand calling:\n\n```javascript\n$(
+    \"#test-input\" ).checkboxradio();\n$( \"#test-input\" ).checkboxradio( \"refresh\"
+    );\n```\n\nwill turn the initial HTML into:\n\n```html\n<label>\n\t<!-- some jQuery
+    UI elements -->\n\t<input id=\"test-input\">\n\t<img src=x onerror=\"alert(1)\">\n</label>\n```\n\nand
+    the alert will get executed.\n\n### Patches\nThe bug has been patched in jQuery
+    UI 1.13.2.\n\n### Workarounds\nTo remediate the issue, if you can change the initial
+    HTML, you can wrap all\nthe non-input contents of the `label` in a `span`:\n\n```html\n<label>\n\t<input
+    id=\"test-input\">\n\t<span>&lt;img src=x onerror=\"alert(1)\"&gt;</span>\n</label>\n```\n\n###
+    References\nhttps://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/\n\n###
+    For more information\nIf you have any questions or comments about this advisory,
+    search for a\nrelevant issue in [the jQuery UI repo](https://github.com/jquery/jquery-ui/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc).\nIf
+    you don't find an answer, open a new issue.\n"
+  cvss_v3: 6.1
+  patched_versions:
+  - ">= 7.0.0"
+  related:
+    url:
+    - https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-31160
+    - https://github.com/advisories/GHSA-h6gj-6jjq-h8g9#:~:text=https%3A//nvd.nist,12/msg00015.html
+    - https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/
+    - https://www.drupal.org/sa-contrib-2022-052
+    - https://security.netapp.com/advisory/ntap-20220909-0007/
+    - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD/
+    - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO/
+    - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6/
+    - https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html
+---
