Description
Kayran has detected that the version of jQuery UI being used is potentially vulnerable to cross-site scripting. Also known as CVE-2022-31160.
Initializing a “checkboxradio” widget on a certain input enclosed within a label may lead to the parent label contents being considered as the input label itself.
By calling “refresh” on this widget and the HTML contents, will lead to encrypted information being decrypted and presented to the attacker.
Successful exploitation of this vulnerability could lead to sensitive information being exposed/disclosed.
This will allow the attacker to add and modify the data.
Severity/Score
CVSS Version 3.x – 6.1 Medium
Recommendation
To fix CVE-2022-31160, update the jQuery UI version being used to 1.13.2 or higher.
Also, it’s recommended to change the initial HTML by wrapping all the non-input contents of the
“label” in a “span” tag.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31160
