CVE-2022-31160 Overview
CVE-2022-31160 is a Cross-Site Scripting (XSS) vulnerability in jQuery UI, a widely-used JavaScript library that provides a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are vulnerable to this security flaw which affects the checkboxradio widget component.
The vulnerability occurs when initializing a checkboxradio widget on an input element enclosed within a label tag. When .checkboxradio("refresh") is called on such a widget and the initial HTML contains encoded HTML entities, these entities are erroneously decoded. This improper handling of encoded content can lead to the execution of arbitrary JavaScript code in the context of the victim's browser session.
Critical Impact
This XSS vulnerability can allow attackers to inject and execute malicious JavaScript code in users' browsers, potentially enabling session hijacking, credential theft, defacement, or malware distribution through affected web applications using vulnerable jQuery UI versions.
Affected Products
- jQuery UI versions prior to 1.13.2
- Drupal jQuery UI Checkboxradio module (versions 8.x-1.0 through 8.x-1.3)
- NetApp H300S, H500S, H700S, H410S, and H410C firmware
- NetApp OnCommand Insight
- Fedora 35, 36, and 37
- Debian Linux 10.0
Discovery Timeline
- 2022-07-20 - CVE-2022-31160 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-31160
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists in the checkboxradio widget's handling of label content when the widget is refreshed.
When a checkboxradio widget is initialized on an input element that is nested within a label element, jQuery UI considers the parent label's contents as the input's label text. The vulnerability manifests during the widget refresh operation: if the original HTML contained encoded HTML entities (such as <script>), the refresh process incorrectly decodes these entities back to their original characters, potentially converting harmless encoded strings into executable script elements.
This behavior represents a failure in maintaining proper output encoding during the widget lifecycle, allowing attackers to craft malicious HTML that appears safe when initially rendered but becomes dangerous upon widget refresh.
Root Cause
The root cause lies in how the checkboxradio widget processes label text during refresh operations. When _getCreateOptions is called, the widget retrieves and processes label contents without properly preserving the encoded state of HTML entities. The original implementation failed to distinguish between safe text content and potentially dangerous decoded HTML when re-evaluating label contents.
The fix introduced changes to the ui/widgets/checkboxradio.js file, specifically addressing how label contents are retrieved and processed to prevent the re-evaluation of text labels as HTML.
Attack Vector
An attacker can exploit this vulnerability through the following attack flow:
- The attacker identifies a web application using a vulnerable version of jQuery UI with checkboxradio widgets
- The attacker crafts or influences HTML content containing encoded malicious JavaScript within a label element surrounding a checkbox or radio input
- When a user interacts with the application and triggers a .checkboxradio("refresh") call, the encoded entities are decoded
- The decoded malicious script executes in the user's browser context with full access to the DOM and session cookies
This attack requires user interaction (visiting the malicious page) and a change in scope is possible as the injected script can affect resources beyond the vulnerable component.
// Security patch in ui/widgets/checkboxradio.js - Checkboxradio: Don't re-evaluate text labels as HTML
},
_getCreateOptions: function() {
- var disabled, labels;
- var that = this;
+ var disabled, labels, labelContents;
var options = this._super() || {};
// We read the type here, because it makes more sense to throw a element type error first,
Source: GitHub jQuery UI Commit
Detection Methods for CVE-2022-31160
Indicators of Compromise
- Unexpected JavaScript execution on pages containing checkboxradio widgets
- Unusual DOM modifications after checkbox or radio button interactions
- Client-side errors related to jQuery UI widget refresh operations
- Reports of session hijacking or credential theft from application users
Detection Strategies
- Audit all JavaScript dependencies for jQuery UI versions below 1.13.2 using software composition analysis (SCA) tools
- Monitor Content Security Policy (CSP) violation reports for inline script execution attempts
- Review application logs for patterns indicating XSS exploitation attempts targeting form elements
- Implement browser-based XSS detection through security headers and client-side monitoring
Monitoring Recommendations
- Enable CSP reporting to capture attempted script injections on pages with jQuery UI widgets
- Deploy web application firewalls (WAF) with rules to detect common XSS payload patterns
- Monitor for anomalous client-side behavior using Real User Monitoring (RUM) solutions
- Track package versions across your application portfolio to identify affected deployments
How to Mitigate CVE-2022-31160
Immediate Actions Required
- Upgrade jQuery UI to version 1.13.2 or later across all affected applications
- For Drupal sites, update the jQuery UI Checkboxradio module to the patched version
- Conduct an inventory of all web applications and components using jQuery UI
- Apply vendor-specific patches for NetApp, Fedora, and Debian systems as available
Patch Information
jQuery UI has released version 1.13.2 which addresses this vulnerability. The fix modifies how the checkboxradio widget handles label contents to prevent HTML entity decoding during refresh operations. Organizations should prioritize updating to this version or later.
For detailed patch information, refer to the jQuery UI Release Announcement and the GitHub Security Advisory.
Additional vendor-specific advisories:
Workarounds
- Wrap all non-input contents within checkboxradio labels in a <span> element to prevent direct label content processing
- Implement Content Security Policy headers to restrict inline script execution as a defense-in-depth measure
- Sanitize user-controlled content that may appear in label elements before rendering
- Avoid using the .checkboxradio("refresh") method on widgets with potentially untrusted label content until patched
<!-- Workaround: Wrap label contents in a span -->
<label>
<input type="checkbox" name="example">
<span>Safe label text here</span>
</label>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
