CVE-2022-31160

Public Exploit
jQuery UI contains potential XSS vulnerability when refreshing a checkboxradio with an HTML-like initial text label

Description

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.

Category

6.1
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 6.58% Top 10%
Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory jqueryui.com
Affected: jquery jquery-ui
Published at:
Updated at:

References

Link Tags
https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9 release notes exploit mitigation third party advisory
https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9 third party advisory patch
https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/ release notes vendor advisory
https://www.drupal.org/sa-contrib-2022-052 third party advisory
https://security.netapp.com/advisory/ntap-20220909-0007/ third party advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6/ vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD/ vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO/ vendor advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html third party advisory mailing list

Frequently Asked Questions

What is the severity of CVE-2022-31160?
CVE-2022-31160 has been scored as a medium severity vulnerability.
How to fix CVE-2022-31160?
To fix CVE-2022-31160, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-31160 being actively exploited in the wild?
It is possible that CVE-2022-31160 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~7% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-31160?
CVE-2022-31160 affects jquery jquery-ui.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.