What is CVE-2022-31160?

CVE-2022-31160 is a medium-severity vulnerability affecting jQuery UI, a popular library used for building user interfaces in web applications and websites. This vulnerability specifically impacts versions prior to 1.13.2 and can lead to cross-site scripting (XSS) attacks when refreshing a checkboxradio widget with an HTML-like initial text label.

What should I do if I’m affected?

The issue occurs when initializing a checkboxradio widget on an input enclosed within a label and calling a specific function with initial HTML containing encoded entities. This can potentially lead to cross-site scripting attacks. Users of the Checkboxradio widget in jQuery UI and those using the jQuery-UI library in Debian 10 buster packages prior to version 1.12.1+dfsg-5+deb10u1 are also affected.

What to do if CVE-2022-31160 affected you

If you're affected by the CVE-2022-31160 vulnerability, it's crucial to update your jQuery UI to version 1.13.2. Follow these simple steps:

1. Visit the jQuery UI 1.13.2 release page.

2. Download the updated version of jQuery UI.

3. Replace your current jQuery UI library with the downloaded version.

4. Test your web application or website to ensure it functions correctly with the updated library.

For Debian 10 buster users, upgrade the jqueryui packages to version 1.12.1+dfsg-5+deb10u1 as recommended in the Debian security update.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2022-31160 vulnerability in jQuery UI is not listed in CISA's Known Exploited Vulnerabilities Catalog.

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as CWE-79, which is a cross-site scripting issue in jQuery UI affecting versions prior to 1.13.2.

Learn More

To better understand the vulnerability and its implications, consult the NVD page and the sources listed below.

• jQuery UI 1.13.2 released | jQuery UI Blog

• [SECURITY] [DLA 3230-1] jqueryui security update