ID

VAR-202110-1615


CVE

CVE-2021-41183


TITLE

jQuery-UI  Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-014042

DESCRIPTION

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources. jQuery-UI Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. jQuery is an open source, cross-browser JavaScript library developed by American John Resig individual developer. The library simplifies the operation between HTML and JavaScript, and has the characteristics of modularization and plug-in extension. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update Advisory ID: RHSA-2022:4711-01 Product: Red Hat Virtualization Advisory URL: https://access.redhat.com/errata/RHSA-2022:4711 Issue date: 2022-05-26 CVE Names: CVE-2021-3807 CVE-2021-23425 CVE-2021-33502 CVE-2021-41182 CVE-2021-41183 CVE-2021-41184 ==================================================================== 1. Summary: Updated ovirt-engine packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch 3. Description: The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning. Security Fix(es): * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * nodejs-trim-off-newlines: ReDoS via string processing (CVE-2021-23425) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * jquery-ui: XSS in the altField option of the datepicker widget (CVE-2021-41182) * jquery-ui: XSS in *Text options of the datepicker widget (CVE-2021-41183) * jquery-ui: XSS in the 'of' option of the .position() util (CVE-2021-41184) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. A list of bugs fixed in this update is available in the Technical Notes book: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/2974891 5. Bugs fixed (https://bugzilla.redhat.com/): 655153 - [RFE] confirmation prompt when suspending a virtual machine - webadmin 977778 - [RFE] - Mechanism for converting disks for non-running VMS 1624015 - [RFE] Expose Console Options and Console invocation via API 1648985 - VM from VM-pool which is already in use by a SuperUser is presented to another User with UserRole permission who can shutdown the VM. 1667517 - [RFE] add VM Portal setting for set screen mode 1687845 - Multiple notification for one time host activation 1781241 - missing ?connect automatically? option in vm portal 1782056 - [RFE] Integration of built-in ipsec feature in RHV/RHHI-V with OVN 1849169 - [RFE] add virtualCPUs/physicalCPUs ratio property to evenly_distributed policy 1878930 - [RFE] Provide warning event if MAC Address Pool free and available addresses are below threshold 1922977 - [RFE] VM shared disks are not part of the OVF_STORE 1926625 - [RFE] How to enable HTTP Strict Transport Security (HSTS) on Apache HTTPD for Red Hat Virtualization Manager 1927985 - [RFE] Speed up export-to-OVA on NFS by aligning loopback device offset 1944290 - URL to change the password is not shown properly 1944834 - [RFE] Timer for Console Disconnect Action - Shutdown VM after N minutes of being disconnected (Webadmin-only) 1956295 - Template import from storage domain fails when quota is enabled. 1959186 - Enable assignment of user quota when provisioning from a non-blank template via rest-api 1964208 - [RFE] add new feature for VM's screenshot on RestAPI 1964461 - CVE-2021-33502 normalize-url: ReDoS for data URLs 1971622 - Incorrect warning displayed: "The VM CPU does not match the Cluster CPU Type" 1974741 - Disk images remain in locked state if the HE VM is rebooted during a image transfer 1979441 - High Performance VMs always have "VM CPU does not match the cluster CPU Type" warning 1979797 - Ask user for confirmation when the deleted storage domain has leases of VMs that has disk in other SDs 1980192 - Network statistics copy a U64 into DECIMAL(18,4) 1986726 - VM imported from OVA gets thin provisioned disk despite of allocation policy set as 'preallocated' 1986834 - [DOCS] add nodejs and maven to list of subscription streams to be enabled in RHVM installation 1987121 - [RFE] Support enabling nVidia Unified Memory on mdev vGPU 1988496 - vmconsole-proxy-helper.cer is not renewed when running engine-setup 1990462 - [RFE] Add user name and password to ELK integration 1991240 - Assign user quota when provisioning from a non-blank template via web-ui 1995793 - CVE-2021-23425 nodejs-trim-off-newlines: ReDoS via string processing 1996123 - ovf stores capacity/truesize on the storage does not match values in engine database 1998255 - [RFE] [UI] Add search box for vNIC Profiles in RHVM WebUI on the main vNIC profiles tab 1999698 - ssl.conf modifications of engine-setup do not conform to best practices (according to red hat insights) 2000031 - SPM host is rebooted multiple times when engine recovers the host 2002283 - Make NumOfPciExpressPorts configurable via engine-config 2003883 - Failed to update the VFs configuration of network interface card type 82599ES and X520 2003996 - ovirt_snapshot module fails to delete snapshot when there is a "Next Run configuration snapshot" 2006602 - vm_statistics table has wrong type for guest_mem_* columns. 2006745 - [MBS] Template disk Copy from data storage domain to Managed Block Storage domain is failing 2007384 - Failed to parse 'writeRate' value xxxx to integer: For input string: xxxx 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes 2008798 - Older name rhv-openvswitch is not checked in ansible playbook 2010203 - Log analyzer creates faulty VM unmanaged devices report 2010903 - I/O operations/sec reporting wrong values 2013928 - Log analyzer creates faulty non default vdc_option report 2014888 - oVirt executive dashboard/Virtual Machine dashboard does not actually show disk I/O operations per second, but it shows sum of I/o operations since the boot time of VM 2015796 - [RFE] RHV Manager should support running on a host with DISA STIG security profile applied 2019144 - CVE-2021-41182 jquery-ui: XSS in the altField option of the datepicker widget 2019148 - CVE-2021-41183 jquery-ui: XSS in *Text options of the datepicker widget 2019153 - CVE-2021-41184 jquery-ui: XSS in the 'of' option of the .position() util 2021217 - [RFE] Windows 2022 support 2023250 - [RFE] Use virt:rhel module instead of virt:av in RHEL 8.6+ to get advanced virtualization packages 2023786 - RHV VM with SAP monitoring configuration does not fail to start if the Host is missing vdsm-hook-vhostmd 2024202 - RHV Dashboard does not show memory and storage details properly when using Spanish language. 2025936 - metrics configuration playbooks failing due to rhel-system-role last refactor 2030596 - [RFE] RHV Manager should support running on a host with the PCI-DSS security profile applied 2030663 - Update Network statistics types in DWH 2031027 - The /usr/share/ovirt-engine/ansible-runner-service-project/inventory/hosts fails rpm verification 2035051 - removing nfs-utils cause ovirt-engine removal due to cinderlib dep tree 2037115 - rhv-image-discrepancies (rhv-log-collector-analyzer-1.0.11-1.el8ev) tool continues flags OVF_STORE volumes. 2037121 - RFE: Add Data Center and Storage Domain name in the rhv-image-discrepancies tool output. 2040361 - Hotplug VirtIO-SCSI disk fails with error "Domain already contains a disk with that address" when IO threads > 1 2040402 - unable to use --log-size=0 option 2040474 - [RFE] Add progress tracking for Cluster Upgrade 2041544 - Admin GUI: Making selection of host while uploading disk it will immediately replace it with the first active host in the list. 2043146 - Expired /etc/pki/vdsm/libvirt-vnc/server-cert.pem certificate is skipped during Enroll Certificate 2044273 - Remove the RHV Guest Tools ISO image upload option from engine-setup 2048546 - sosreport command should be replaced by sos report 2050566 - Upgrade ovirt-log-collector to 4.4.5 2050614 - Upgrade rhvm-setup-plugins to 4.5.0 2051857 - Upgrade rhv-log-collector-analizer to 1.0.13 2052557 - RHV fails to release mdev vGPU device after VM shutdown 2052690 - [RFE] Upgrade to ansible-core-2.12 in ovirt-engine 2054756 - [welcome page] Add link to MTV guide 2055136 - virt module is not changed to the correct stream during host upgrade 2056021 - [BUG]: "Enroll Certificate" operation not updating libvirt-vnc cert and key 2056052 - RHV-H w/ PCI-DSS profile causes OVA export to fail 2056126 - [RFE] Extend time to warn of upcoming certificate expiration 2058264 - Export as OVA playbook gets stuck with 'found an incomplete artifacts directory...Possible ansible_runner error?' 2059521 - [RFE] Upgrade to ansible-core-2.12 in ovirt-engine-metrics 2059877 - [DOCS][Upgrade] Update RHVM update procedure in Upgrade guide 2061904 - Unable to attach a RHV Host back into cluster after removing due to networking 2065052 - [TRACKER] Upgrade to ansible-core-2.12 in RHV 4.4 SP1 2066084 - vmconsole-proxy-user certificate expired - cannot access serial console 2066283 - Upgrade from RHV 4.4.10 to RHV 4.5.0 is broken 2069972 - [Doc][RN]Add cluster-level 4.7 to compatibility table 2070156 - [TESTONLY] Test upgrade from ovirt-engine-4.4.1 2071468 - Engine fenced host that was already reconnected and set to Up status. 2072637 - Build and distribute python38-daemon in RHV channels 2072639 - Build and distribute ansible-runner in RHV channels 2072641 - Build and distribute python38-docutils in RHV channels 2072642 - Build and distribute python38-lockfile in RHV channels 2072645 - Build and distribute python38-pexpect in RHV channels 2072646 - Build and distribute python38-ptyprocess in RHV channels 2075352 - upgrading RHV-H does not renew certificate 6. Package List: RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4: Source: ansible-runner-2.1.3-1.el8ev.src.rpm apache-sshd-2.8.0-0.1.el8ev.src.rpm engine-db-query-1.6.4-1.el8ev.src.rpm ovirt-dependencies-4.5.1-1.el8ev.src.rpm ovirt-engine-4.5.0.7-0.9.el8ev.src.rpm ovirt-engine-dwh-4.5.2-1.el8ev.src.rpm ovirt-engine-metrics-1.6.0-1.el8ev.src.rpm ovirt-engine-ui-extensions-1.3.3-1.el8ev.src.rpm ovirt-log-collector-4.4.5-1.el8ev.src.rpm ovirt-web-ui-1.8.1-2.el8ev.src.rpm rhv-log-collector-analyzer-1.0.13-1.el8ev.src.rpm rhvm-branding-rhv-4.4.11-1.el8ev.src.rpm rhvm-setup-plugins-4.5.0-2.el8ev.src.rpm vdsm-jsonrpc-java-1.7.1-2.el8ev.src.rpm noarch: ansible-runner-2.1.3-1.el8ev.noarch.rpm apache-sshd-2.8.0-0.1.el8ev.noarch.rpm apache-sshd-javadoc-2.8.0-0.1.el8ev.noarch.rpm engine-db-query-1.6.4-1.el8ev.noarch.rpm ovirt-dependencies-4.5.1-1.el8ev.noarch.rpm ovirt-engine-4.5.0.7-0.9.el8ev.noarch.rpm ovirt-engine-backend-4.5.0.7-0.9.el8ev.noarch.rpm ovirt-engine-dbscripts-4.5.0.7-0.9.el8ev.noarch.rpm ovirt-engine-dwh-4.5.2-1.el8ev.noarch.rpm ovirt-engine-dwh-grafana-integration-setup-4.5.2-1.el8ev.noarch.rpm ovirt-engine-dwh-setup-4.5.2-1.el8ev.noarch.rpm ovirt-engine-health-check-bundler-4.5.0.7-0.9.el8ev.noarch.rpm ovirt-engine-metrics-1.6.0-1.el8ev.noarch.rpm ovirt-engine-restapi-4.5.0.7-0.9.el8ev.noarch.rpm ovirt-engine-setup-4.5.0.7-0.9.el8ev.noarch.rpm ovirt-engine-setup-base-4.5.0.7-0.9.el8ev.noarch.rpm ovirt-engine-setup-plugin-cinderlib-4.5.0.7-0.9.el8ev.noarch.rpm ovirt-engine-setup-plugin-imageio-4.5.0.7-0.9.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-4.5.0.7-0.9.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-common-4.5.0.7-0.9.el8ev.noarch.rpm ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.0.7-0.9.el8ev.noarch.rpm ovirt-engine-setup-plugin-websocket-proxy-4.5.0.7-0.9.el8ev.noarch.rpm ovirt-engine-tools-4.5.0.7-0.9.el8ev.noarch.rpm ovirt-engine-tools-backup-4.5.0.7-0.9.el8ev.noarch.rpm ovirt-engine-ui-extensions-1.3.3-1.el8ev.noarch.rpm ovirt-engine-vmconsole-proxy-helper-4.5.0.7-0.9.el8ev.noarch.rpm ovirt-engine-webadmin-portal-4.5.0.7-0.9.el8ev.noarch.rpm ovirt-engine-websocket-proxy-4.5.0.7-0.9.el8ev.noarch.rpm ovirt-log-collector-4.4.5-1.el8ev.noarch.rpm ovirt-web-ui-1.8.1-2.el8ev.noarch.rpm python3-ovirt-engine-lib-4.5.0.7-0.9.el8ev.noarch.rpm python38-ansible-runner-2.1.3-1.el8ev.noarch.rpm python38-docutils-0.14-12.4.el8ev.noarch.rpm rhv-log-collector-analyzer-1.0.13-1.el8ev.noarch.rpm rhvm-4.5.0.7-0.9.el8ev.noarch.rpm rhvm-branding-rhv-4.4.11-1.el8ev.noarch.rpm rhvm-setup-plugins-4.5.0-2.el8ev.noarch.rpm vdsm-jsonrpc-java-1.7.1-2.el8ev.noarch.rpm vdsm-jsonrpc-java-javadoc-1.7.1-2.el8ev.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-3807 https://access.redhat.com/security/cve/CVE-2021-23425 https://access.redhat.com/security/cve/CVE-2021-33502 https://access.redhat.com/security/cve/CVE-2021-41182 https://access.redhat.com/security/cve/CVE-2021-41183 https://access.redhat.com/security/cve/CVE-2021-41184 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYo/qI9zjgjWX9erEAQhpng//aJBlyx9sUzPTC08WE6OwY4Ihk8b0wSh5 C9RWX/PmlDE2CAivQHpSs8D7/IizHl4Arn6f0HJx+NavN8YfbApqs2mcq+KUKYuC /VxCb3YlukeDsXeYIM+ScifS9M+N+WNGy9BRrlcYxZ4Ya5zLYv/ibrrHCX44yKz8 Jg5abyQyCzI6DEPjSDRIZkULLIdkbQ8xGd7j5P4ThAR2MRf8deeHez4/NmfrQm6n Q3f4qeQlljiNgoGdxa2z65Shxpb3pkWGt81MZuMwKpRa6EDBDs8vGMA0LZamsikv XZUU2P7d+JrXvLd2bmfGty6EaQ2FY0XoB0vvK1AyUhSZkX2thUvFsEgIdWjLSu4a eT28D2etZLTIyl1DB42L+5gcomaQTn0sT0i99ExWkFyf9xWne+ygOFYydjV0/fy+ 530Pwzlk9c2QtHgJ/XzGU12QLzKa/tvLbqXTfmAmlqDkU/+3aIr2l5SgnudzY4NN BAUae8noIVWEs6L+6DY5HYt+x+WYYLipQh9gPjpBOaH+sEFvZ2+GzlVR0zF4IM5E qLH5bopwO6GfHeNjv+4U+l+3kjhJIpwrsy/uzc+/mExrraYFpZc8skbcGRyhQ7ML CtHSV7Y4x/OguhgYeqx1ocCfpIpkbu4MGa4esGDW4ocvL03AHnbxOG7gGvBH35oF cada2etYwu0=nreb -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 1.89

sources: NVD: CVE-2021-41183 // JVNDB: JVNDB-2021-014042 // VULHUB: VHN-397877 // VULMON: CVE-2021-41183 // PACKETSTORM: 167278

AFFECTED PRODUCTS

vendor:netappmodel:h500escope:eqversion: -

Trust: 1.0

vendor:drupalmodel:drupalscope:gteversion:9.2.0

Trust: 1.0

vendor:oraclemodel:policy automationscope:lteversion:12.2.5

Trust: 1.0

vendor:oraclemodel:primavera gatewayscope:lteversion:17.12

Trust: 1.0

vendor:oraclemodel:banking platformscope:eqversion:2.12.0

Trust: 1.0

vendor:oraclemodel:hospitality suite8scope:lteversion:11.14.0

Trust: 1.0

vendor:oraclemodel:primavera gatewayscope:eqversion:18.8.0

Trust: 1.0

vendor:netappmodel:h500sscope:eqversion: -

Trust: 1.0

vendor:oraclemodel:communications operations monitorscope:eqversion:4.4

Trust: 1.0

vendor:oraclemodel:agile plmscope:eqversion:9.3.6

Trust: 1.0

vendor:oraclemodel:rest data servicesscope:ltversion:22.1.1

Trust: 1.0

vendor:tenablemodel:tenable.scscope:ltversion:5.21.0

Trust: 1.0

vendor:oraclemodel:weblogic serverscope:eqversion:12.2.1.3.0

Trust: 1.0

vendor:oraclemodel:application expressscope:ltversion:22.1.1

Trust: 1.0

vendor:netappmodel:h300escope:eqversion: -

Trust: 1.0

vendor:oraclemodel:communications operations monitorscope:eqversion:5.0

Trust: 1.0

vendor:oraclemodel:hospitality inventory managementscope:eqversion:9.1.0

Trust: 1.0

vendor:oraclemodel:primavera gatewayscope:eqversion:19.12.0

Trust: 1.0

vendor:oraclemodel:big data spatial and graphscope:ltversion:23.1

Trust: 1.0

vendor:drupalmodel:drupalscope:gteversion:9.3.0

Trust: 1.0

vendor:oraclemodel:weblogic serverscope:eqversion:14.1.1.0.0

Trust: 1.0

vendor:oraclemodel:communications interactive session recorderscope:eqversion:6.4

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:35

Trust: 1.0

vendor:oraclemodel:jd edwards enterpriseone toolsscope:lteversion:9.2.6.3

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:36

Trust: 1.0

vendor:oraclemodel:primavera gatewayscope:gteversion:17.7

Trust: 1.0

vendor:netappmodel:h700escope:eqversion: -

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:34

Trust: 1.0

vendor:netappmodel:h410cscope:eqversion: -

Trust: 1.0

vendor:netappmodel:h300sscope:eqversion: -

Trust: 1.0

vendor:netappmodel:h410sscope:eqversion: -

Trust: 1.0

vendor:oraclemodel:communications operations monitorscope:eqversion:4.3

Trust: 1.0

vendor:netappmodel:h700sscope:eqversion: -

Trust: 1.0

vendor:drupalmodel:drupalscope:gteversion:7.0

Trust: 1.0

vendor:oraclemodel:primavera gatewayscope:eqversion:21.12.0

Trust: 1.0

vendor:drupalmodel:drupalscope:ltversion:9.3.3

Trust: 1.0

vendor:jqueryuimodel:jquery uiscope:ltversion:1.13.0

Trust: 1.0

vendor:oraclemodel:banking platformscope:eqversion:2.9.0

Trust: 1.0

vendor:oraclemodel:hospitality suite8scope:eqversion:8.10.2

Trust: 1.0

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.58

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:33

Trust: 1.0

vendor:oraclemodel:policy automationscope:gteversion:12.2.0

Trust: 1.0

vendor:oraclemodel:hospitality suite8scope:gteversion:8.11.0

Trust: 1.0

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.59

Trust: 1.0

vendor:oraclemodel:weblogic serverscope:eqversion:12.2.1.4.0

Trust: 1.0

vendor:drupalmodel:drupalscope:ltversion:7.86

Trust: 1.0

vendor:oraclemodel:primavera gatewayscope:eqversion:20.12.0

Trust: 1.0

vendor:drupalmodel:drupalscope:ltversion:9.2.11

Trust: 1.0

vendor:oraclemodel:rest data servicesscope:eqversion:22.1.1

Trust: 1.0

vendor:oraclemodel:mysql enterprise monitorscope:lteversion:8.0.29

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:9.0

Trust: 1.0

vendor:oraclemodel:big data spatial and graphscope:eqversion:23.1

Trust: 1.0

vendor:netappmodel:h300sscope: - version: -

Trust: 0.8

vendor:netappmodel:h500escope: - version: -

Trust: 0.8

vendor:netappmodel:h500sscope: - version: -

Trust: 0.8

vendor:jquerymodel:uiscope: - version: -

Trust: 0.8

vendor:netappmodel:h410cscope: - version: -

Trust: 0.8

vendor:netappmodel:h300escope: - version: -

Trust: 0.8

vendor:netappmodel:h700escope: - version: -

Trust: 0.8

vendor:drupalmodel:drupalscope: - version: -

Trust: 0.8

vendor:debianmodel:gnu/linuxscope: - version: -

Trust: 0.8

vendor:netappmodel:h410sscope: - version: -

Trust: 0.8

vendor:netappmodel:h700sscope: - version: -

Trust: 0.8

vendor:fedoramodel:fedorascope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-014042 // NVD: CVE-2021-41183

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-41183
value: MEDIUM

Trust: 1.0

security-advisories@github.com: CVE-2021-41183
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-41183
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202110-1839
value: MEDIUM

Trust: 0.6

VULHUB: VHN-397877
value: MEDIUM

Trust: 0.1

VULMON: CVE-2021-41183
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-41183
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-397877
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-41183
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

security-advisories@github.com: CVE-2021-41183
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2021-41183
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-397877 // VULMON: CVE-2021-41183 // JVNDB: JVNDB-2021-014042 // CNNVD: CNNVD-202110-1839 // NVD: CVE-2021-41183 // NVD: CVE-2021-41183

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-397877 // JVNDB: JVNDB-2021-014042 // NVD: CVE-2021-41183

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-1839

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 167278 // CNNVD: CNNVD-202110-1839

PATCH

title:NTAP-20211118-0004url:https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html

Trust: 0.8

title:jQuery Fixes for cross-site scripting vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=167278

Trust: 0.6

title:Red Hat: Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20224711 - Security Advisory

Trust: 0.1

title:Red Hat: CVE-2021-41183url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2021-41183

Trust: 0.1

title:IBM: Security Bulletin: API Connect is vulnerable to JQuery-UI Cross-Site Scripting (XSS) (CVE-2021-41184, CVE-2021-41183, CVE-2021-41182)url:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=cad03619ba21e75b9c9476e5adf69069

Trust: 0.1

title:Tenable Security Advisories: [R1] Tenable.sc 5.21.0 Fixes Multiple Third-Party Vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories&qid=TNS-2022-09

Trust: 0.1

title: - url:https://github.com/Live-Hack-CVE/CVE-2021-41183

Trust: 0.1

title: - url:https://github.com/marksowell/retire-html-parser

Trust: 0.1

sources: VULMON: CVE-2021-41183 // JVNDB: JVNDB-2021-014042 // CNNVD: CNNVD-202110-1839

EXTERNAL IDS

db:NVDid:CVE-2021-41183

Trust: 3.5

db:TENABLEid:TNS-2022-09

Trust: 1.8

db:PACKETSTORMid:167278

Trust: 0.8

db:JVNDBid:JVNDB-2021-014042

Trust: 0.8

db:CNNVDid:CNNVD-202110-1839

Trust: 0.7

db:AUSCERTid:ESB-2022.2458

Trust: 0.6

db:AUSCERTid:ESB-2022.0236

Trust: 0.6

db:AUSCERTid:ESB-2022.2191

Trust: 0.6

db:AUSCERTid:ESB-2022.5431

Trust: 0.6

db:AUSCERTid:ESB-2022.2599

Trust: 0.6

db:AUSCERTid:ESB-2022.1792

Trust: 0.6

db:AUSCERTid:ESB-2022.3896

Trust: 0.6

db:AUSCERTid:ESB-2022.1837

Trust: 0.6

db:AUSCERTid:ESB-2022.6384

Trust: 0.6

db:CS-HELPid:SB2022030804

Trust: 0.6

db:CS-HELPid:SB2022062021

Trust: 0.6

db:CS-HELPid:SB2022042017

Trust: 0.6

db:CS-HELPid:SB2022011946

Trust: 0.6

db:VULHUBid:VHN-397877

Trust: 0.1

db:VULMONid:CVE-2021-41183

Trust: 0.1

sources: VULHUB: VHN-397877 // VULMON: CVE-2021-41183 // JVNDB: JVNDB-2021-014042 // PACKETSTORM: 167278 // CNNVD: CNNVD-202110-1839 // NVD: CVE-2021-41183

REFERENCES

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/nxiuubrvla4e7g7mmikcen75yn7uferw/

Trust: 1.8

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/o74sxyy7rgxreqdqudqd4bpj4qqtd2xq/

Trust: 1.8

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/snxa7xrkginwsuipiz6zbctv6n3kshes/

Trust: 1.8

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/hvkiowsxl2rf2ulnap7phesycfszije3/

Trust: 1.8

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/sgsy236pysfyiebrgderla7osy6d7xl4/

Trust: 1.8

url:https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html

Trust: 1.8

url:https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/

Trust: 1.8

url:https://bugs.jqueryui.com/ticket/15284

Trust: 1.8

url:https://github.com/jquery/jquery-ui/pull/1953

Trust: 1.8

url:https://github.com/jquery/jquery-ui/security/advisories/ghsa-j7qv-pgf6-hvh4

Trust: 1.8

url:https://security.netapp.com/advisory/ntap-20211118-0004/

Trust: 1.8

url:https://www.drupal.org/sa-contrib-2022-004

Trust: 1.8

url:https://www.drupal.org/sa-core-2022-001

Trust: 1.8

url:https://www.drupal.org/sa-core-2022-002

Trust: 1.8

url:https://www.oracle.com/security-alerts/cpuapr2022.html

Trust: 1.8

url:https://www.oracle.com/security-alerts/cpujul2022.html

Trust: 1.8

url:https://www.tenable.com/security/tns-2022-09

Trust: 1.8

url:https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2021-41183

Trust: 0.9

url:https://access.redhat.com/security/cve/cve-2021-41183

Trust: 0.7

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/o74sxyy7rgxreqdqudqd4bpj4qqtd2xq/

Trust: 0.6

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/snxa7xrkginwsuipiz6zbctv6n3kshes/

Trust: 0.6

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/sgsy236pysfyiebrgderla7osy6d7xl4/

Trust: 0.6

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/nxiuubrvla4e7g7mmikcen75yn7uferw/

Trust: 0.6

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/hvkiowsxl2rf2ulnap7phesycfszije3/

Trust: 0.6

url:https://vigilance.fr/vulnerability/jquery-ui-three-vulnerabilities-36936

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022030804

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.2458

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.1792

Trust: 0.6

url:https://www.ibm.com/support/pages/node/6525274

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022042017

Trust: 0.6

url:https://packetstormsecurity.com/files/167278/red-hat-security-advisory-2022-4711-01.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.2191

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.6384

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022011946

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022062021

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.1837

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.5431

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.3896

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.2599

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.0236

Trust: 0.6

url:https://access.redhat.com/errata/rhsa-2022:4711

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/79.html

Trust: 0.1

url:https://github.com/live-hack-cve/cve-2021-41183

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-vulnerable-to-jquery-ui-cross-site-scripting-xss-cve-2021-41184-cve-2021-41183-cve-2021-41182/

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-23425

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3807

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-41182

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-41184

Trust: 0.1

url:https://access.redhat.com/security/team/key/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-41184

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-33502

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

Trust: 0.1

url:https://access.redhat.com/security/team/contact/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-23425

Trust: 0.1

url:https://access.redhat.com/articles/2974891

Trust: 0.1

url:https://bugzilla.redhat.com/):

Trust: 0.1

url:https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.1

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3807

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-41182

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-33502

Trust: 0.1

sources: VULHUB: VHN-397877 // VULMON: CVE-2021-41183 // JVNDB: JVNDB-2021-014042 // PACKETSTORM: 167278 // CNNVD: CNNVD-202110-1839 // NVD: CVE-2021-41183

CREDITS

Red Hat

Trust: 0.1

sources: PACKETSTORM: 167278

SOURCES

db:VULHUBid:VHN-397877
db:VULMONid:CVE-2021-41183
db:JVNDBid:JVNDB-2021-014042
db:PACKETSTORMid:167278
db:CNNVDid:CNNVD-202110-1839
db:NVDid:CVE-2021-41183

LAST UPDATE DATE

2024-08-14T13:18:57.950000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-397877date:2022-11-07T00:00:00
db:VULMONid:CVE-2021-41183date:2023-06-21T00:00:00
db:JVNDBid:JVNDB-2021-014042date:2022-10-03T06:51:00
db:CNNVDid:CNNVD-202110-1839date:2022-12-08T00:00:00
db:NVDid:CVE-2021-41183date:2023-08-31T03:15:13.023

SOURCES RELEASE DATE

db:VULHUBid:VHN-397877date:2021-10-26T00:00:00
db:VULMONid:CVE-2021-41183date:2021-10-26T00:00:00
db:JVNDBid:JVNDB-2021-014042date:2022-10-03T00:00:00
db:PACKETSTORMid:167278date:2022-05-27T15:37:28
db:CNNVDid:CNNVD-202110-1839date:2021-10-26T00:00:00
db:NVDid:CVE-2021-41183date:2021-10-26T15:15:10.387