Vulnerability Name: CVE-2021-41184 (CCN-212277) Assigned: 2021-10-26 Published: 2021-10-26 Updated: 2023-06-21 Summary: jQuery jQuery-UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the .position() function. A remote attacker could exploit this vulnerability using the of parameter to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS v3 Severity: 6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 6.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:H/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): RequiredScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): HighAvailibility (A): None
7.2 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N 6.9 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): LowIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): None
Vulnerability Consequences: Cross-Site Scripting References: Source: MITRECVE-2021-41184 security-advisories@github.com jquery-cve202141184-xss(212277) security-advisories@github.com XSS in the `of` option of the `.position()` util in jquery-ui security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com security-advisories@github.com Multiple vulnerabilities in jQuery-UI affect IBM Tivoli Netcool Impact (CVE-2021-41182, CVE-2021-41183, CVE-2021-41184) IBM Data Risk Manager is affected by multiple vulnerabilities Cloud Pak for Security uses packages that are vulnerable to multiple CVEs IBM Planning Analytics Workspace is affected by security vulnerabilities IBM Security QRadar SOAR is using a component vulnerable to Cross Site Scripting (CVE-2021-41182, CVE-2021-41183, CVE-2021-41184) Vulnerabilities in Polkit, PostgreSQL, OpenSSL, OpenSSH, and jQuery affect IBM Spectrum Copy Data Management IBM QRadar SIEM is vulnerable to using components with Known Vulnerabilities Multiple Vulnerabilities may affect IBM Robotic Process Automation IBM Cognos Analytics has addressed multiple vulnerabilities IBM InfoSphere Information Analyzer is affected by a cross-site scripting vulnerability in jQuery-UI(CVE-2021-41184) Multiple vulnerabilities in Jquery-Ui, highcharts, and datatables are affecting QRadar User Behavior Analytics (CVE-2021-41182, CVE-2021-41183, CVE-2021-41184, CVE-2021-23445, CVE-2021-29489) IBM Aspera Faspex 4.4.2 has addressed multiple security vulnerabilities API Connect is vulnerable to JQuery-UI Cross-Site Scripting (XSS) (CVE-2021-41184, CVE-2021-41183, CVE-2021-41182) IBM Aspera Orchestrator was vulnerable to cross-site scripting due to multiple JQuery vulnerabilities (CVE-2021-41184, CVE-2021-41183, CVE-2021-41182) EBICS Client of IBM Sterling B2B Interator vulnerable to multiple issues due to jQuery IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2021-41182, CVE-2022-31160, CVE-2021-41184, CVE-2021-41183 Oracle Critical Patch Update Advisory - April 2022 security-advisories@github.com Oracle Critical Patch Update Advisory - July 2022 security-advisories@github.com security-advisories@github.com CVE-2021-41184 Vulnerable Configuration: Configuration CCN 1 :cpe:/a:ibm:tivoli_netcool/impact:7.1.0:*:*:*:*:*:*:* OR cpe:/a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:hospitality_suite8:8.10.2:*:*:*:*:*:*:* OR cpe:/a:oracle:agile_plm_framework:9.3.6:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* OR cpe:/a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.3:-:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.6:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.6.2:*:*:*:*:*:*:* OR cpe:/a:ibm:api_connect:10.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:* OR cpe:/a:ibm:engineering_workflow_management:7.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:engineering_workflow_management:7.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:api_connect:10.0.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.3:-:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.1.7:-:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:planning_analytics_workspace:2.0:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.6.4:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.5.0:-:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_copy_data_management:2.2.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_copy_data_management:2.2.14.3:*:*:*:*:*:*:* OR cpe:/a:ibm:robotic_process_automation:21.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:aspera_faspex:4.4.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.0.3.7:*:*:*:standard:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.2.1:*:*:*:standard:*:*:* BACK
ibm tivoli netcool/impact 7.1.0
oracle weblogic server 12.2.1.3.0
oracle hospitality suite8 8.10.2
oracle agile plm framework 9.3.6
ibm infosphere information server 11.7
oracle primavera unifier 17.12
oracle primavera unifier 18.8
oracle hospitality materials control 18.1
ibm sterling b2b integrator 6.0.0.0
ibm qradar security information and event manager 7.3.3
ibm data risk manager 2.0.6
ibm data risk manager 2.0.6.1
ibm data risk manager 2.0.6.2
ibm api connect 10.0.0.0
ibm sterling b2b integrator 6.1.0.0
ibm engineering workflow management 7.0.1
ibm engineering workflow management 7.0.2
ibm api connect 10.0.1.0
ibm qradar security information and event manager 7.4.3 -
ibm cloud pak for security 1.7.2.0
ibm cognos analytics 11.2.0
ibm cognos analytics 11.1.7
ibm cognos analytics 11.2.1
ibm planning analytics workspace 2.0
ibm data risk manager 2.0.6.4
ibm qradar security information and event manager 7.5.0 -
ibm spectrum copy data management 2.2.0.0
ibm spectrum copy data management 2.2.14.3
ibm robotic process automation 21.0.1
ibm aspera faspex 4.4.1
ibm sterling b2b integrator 6.0.3.7
ibm sterling b2b integrator 6.1.2.1
Denotes that component is vulnerable