CVE-2021-41184: jQuery UI XSS Vulnerability

CVE-2021-41184 Overview

CVE-2021-41184 is a Cross-Site Scripting (XSS) vulnerability in jQuery-UI, the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the of option of the .position() utility from untrusted sources may execute untrusted code. The vulnerability allows attackers to inject malicious scripts when the of option is passed with attacker-controlled input, as the library incorrectly processed string values without treating them as CSS selectors.

Critical Impact
Applications using jQuery-UI versions prior to 1.13.0 that accept user-controlled input for the .position() utility's of option are vulnerable to XSS attacks, potentially leading to session hijacking, credential theft, and malicious content injection.

Affected Products

jQuery UI versions prior to 1.13.0
Drupal (multiple versions)
Fedora 33, 34, 35, 36
NetApp H300S, H500S, H700S, H300E, H500E, H700E, H410S, H410C firmware
Oracle WebLogic Server 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
Oracle Application Express
Oracle PeopleSoft Enterprise PeopleTools 8.58, 8.59
Tenable.sc

Discovery Timeline

October 26, 2021 - CVE-2021-41184 published to NVD
November 4, 2025 - Last updated in NVD database

Technical Details for CVE-2021-41184

Vulnerability Analysis

This Cross-Site Scripting vulnerability exists in the .position() utility function within jQuery-UI. The root issue stems from how the library handles the of option parameter, which specifies the element that the positioned element should be positioned relative to. When a string value was passed to this option, it was directly passed to the jQuery selector function without proper sanitization, allowing the execution of arbitrary JavaScript code.

The vulnerability is particularly concerning because jQuery's selector function historically allowed executing inline JavaScript through certain selector patterns. An attacker who can control the value passed to the of option can inject malicious script content that will be executed in the context of the victim's browser session.

Root Cause

The vulnerability originated from insufficient input validation in the position utility's handling of the of option. When a string was provided, it was directly wrapped with $() without first validating that it should be treated as a CSS selector. This behavior allowed HTML strings containing script elements to be parsed and executed rather than treated as selector queries.

Attack Vector

The attack requires user interaction, as the victim must visit a page where the vulnerable .position() function is called with attacker-controlled input. The attack vector is network-based, targeting web applications that:

Use jQuery-UI versions prior to 1.13.0
Accept user input that is passed to the .position() utility's of option
Do not sanitize the input before passing it to the function

javascript

 	options = $.extend( {}, options );
 
 	var atOffset, targetWidth, targetHeight, targetOffset, basePosition, dimensions,
-		target = $( options.of ),
+
+		// Make sure string options are treated as CSS selectors
+		target = typeof options.of === "string" ?
+			$( document ).find( options.of ) :
+			$( options.of ),
+
 		within = $.position.getWithinInfo( options.within ),
 		scrollInfo = $.position.getScrollInfo( within ),
 		collision = ( options.collision || "flip" ).split( " " ),

Source: jQuery UI Security Patch Commit

The fix ensures that string values passed to the of option are explicitly treated as CSS selectors using $( document ).find() rather than being passed directly to the jQuery constructor, which could interpret them as HTML.

Detection Methods for CVE-2021-41184

Indicators of Compromise

Unusual JavaScript execution patterns in web application logs associated with UI positioning functions
Web application firewall logs showing attempts to inject script tags or event handlers in URL parameters or form fields
Client-side error logs indicating unexpected HTML parsing in jQuery selector contexts
Browser console errors related to position utility failures after injection attempts

Detection Strategies

Implement Content Security Policy (CSP) headers to detect and block unauthorized script execution
Monitor web application logs for suspicious input patterns containing HTML or JavaScript in UI-related parameters
Use browser developer tools to audit calls to .position() and verify the source of the of parameter
Deploy web application firewalls with rules to detect XSS payloads targeting jQuery-UI functions

Monitoring Recommendations

Enable client-side JavaScript error monitoring to capture anomalous behavior in jQuery-UI functions
Implement runtime application self-protection (RASP) to detect and block XSS exploitation attempts
Review application code for instances where user input is passed to .position() without sanitization
Monitor for dependency version information to ensure jQuery-UI has been updated to 1.13.0 or later

How to Mitigate CVE-2021-41184

Immediate Actions Required

Update jQuery-UI to version 1.13.0 or later immediately
Audit application code to identify all usages of the .position() utility's of option
Implement input validation to ensure only CSS selectors or DOM elements are passed to the of option
Deploy Content Security Policy headers to mitigate the impact of potential XSS exploitation

Patch Information

The vulnerability is fixed in jQuery UI version 1.13.0. Organizations should upgrade to this version or later. The security fix ensures that any string value passed to the of option is now treated strictly as a CSS selector using $( document ).find() rather than being passed directly to the jQuery constructor.

For detailed patch information, refer to the jQuery UI 1.13.0 Release or the GitHub Security Advisory GHSA-gpqq-952q-5327.

Downstream vendors have also released patches:

Workarounds

Do not accept the value of the of option from untrusted sources until the upgrade is applied
Sanitize all user input before passing it to jQuery-UI's .position() function
Use DOM elements directly instead of string selectors when calling .position() with user-influenced parameters
Implement strict Content Security Policy headers to limit script execution sources

bash

# Configuration example - Content Security Policy Header
# Add to web server configuration (Apache example)
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"

# Nginx example
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'";

CVE-2021-41184 Overview

Critical Impact
Applications using jQuery-UI versions prior to 1.13.0 that accept user-controlled input for the .position() utility's of option are vulnerable to XSS attacks, potentially leading to session hijacking, credential theft, and malicious content injection.

Affected Products

jQuery UI versions prior to 1.13.0
Drupal (multiple versions)
Fedora 33, 34, 35, 36
NetApp H300S, H500S, H700S, H300E, H500E, H700E, H410S, H410C firmware
Oracle WebLogic Server 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
Oracle Application Express
Oracle PeopleSoft Enterprise PeopleTools 8.58, 8.59
Tenable.sc

Discovery Timeline

October 26, 2021 - CVE-2021-41184 published to NVD
November 4, 2025 - Last updated in NVD database

Technical Details for CVE-2021-41184

Vulnerability Analysis

Root Cause

Attack Vector

Use jQuery-UI versions prior to 1.13.0
Accept user input that is passed to the .position() utility's of option
Do not sanitize the input before passing it to the function

javascript

 	options = $.extend( {}, options );
 
 	var atOffset, targetWidth, targetHeight, targetOffset, basePosition, dimensions,
-		target = $( options.of ),
+
+		// Make sure string options are treated as CSS selectors
+		target = typeof options.of === "string" ?
+			$( document ).find( options.of ) :
+			$( options.of ),
+
 		within = $.position.getWithinInfo( options.within ),
 		scrollInfo = $.position.getScrollInfo( within ),
 		collision = ( options.collision || "flip" ).split( " " ),

Source: jQuery UI Security Patch Commit

Detection Methods for CVE-2021-41184

Indicators of Compromise

Unusual JavaScript execution patterns in web application logs associated with UI positioning functions
Web application firewall logs showing attempts to inject script tags or event handlers in URL parameters or form fields
Client-side error logs indicating unexpected HTML parsing in jQuery selector contexts
Browser console errors related to position utility failures after injection attempts

Detection Strategies

Implement Content Security Policy (CSP) headers to detect and block unauthorized script execution
Monitor web application logs for suspicious input patterns containing HTML or JavaScript in UI-related parameters
Use browser developer tools to audit calls to .position() and verify the source of the of parameter
Deploy web application firewalls with rules to detect XSS payloads targeting jQuery-UI functions

Monitoring Recommendations

Enable client-side JavaScript error monitoring to capture anomalous behavior in jQuery-UI functions
Implement runtime application self-protection (RASP) to detect and block XSS exploitation attempts
Review application code for instances where user input is passed to .position() without sanitization
Monitor for dependency version information to ensure jQuery-UI has been updated to 1.13.0 or later

How to Mitigate CVE-2021-41184

Immediate Actions Required

Update jQuery-UI to version 1.13.0 or later immediately
Audit application code to identify all usages of the .position() utility's of option
Implement input validation to ensure only CSS selectors or DOM elements are passed to the of option
Deploy Content Security Policy headers to mitigate the impact of potential XSS exploitation

Patch Information

For detailed patch information, refer to the jQuery UI 1.13.0 Release or the GitHub Security Advisory GHSA-gpqq-952q-5327.

Downstream vendors have also released patches:

Workarounds

Do not accept the value of the of option from untrusted sources until the upgrade is applied
Sanitize all user input before passing it to jQuery-UI's .position() function
Use DOM elements directly instead of string selectors when calling .position() with user-influenced parameters
Implement strict Content Security Policy headers to limit script execution sources

bash

# Configuration example - Content Security Policy Header
# Add to web server configuration (Apache example)
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"

# Nginx example
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'";

CVE-2021-41184: jQuery UI XSS Vulnerability

CVE-2021-41184 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-41184

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-41184

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-41184

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2021-41184: jQuery UI XSS Vulnerability

CVE-2021-41184 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-41184

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-41184

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-41184

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform