CVE-2021-41184 - Vulnerability Details

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Drupal	Drupal
Fedoraproject	Fedora
Jqueryui	Jquery Ui
Netapp	H300e H300e Firmware H300s H300s Firmware H410c H410c Firmware H410s H410s Firmware H500e H500e Firmware H500s H500s Firmware H700e H700e Firmware H700s H700s Firmware
Oracle	Agile Plm Application Express Banking Platform Big Data Spatial And Graph Communications Interactive Session Recorder Communications Operations Monitor Hospitality Inventory Management Hospitality Materials Control Hospitality Suite8 Jd Edwards Enterpriseone Tools Peoplesoft Enterprise Peopletools Policy Automation Primavera Unifier Rest Data Services Weblogic Server
Redhat	Rhev Manager
Tenable	Tenable.sc

Configuration 1 [-]

cpe:2.3:a:jqueryui:jquery_ui:*:*:*:*:*:jquery:*:*

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:33:::::::*
	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*
	cpe:2.3:o:fedoraproject:fedora:36:::::::*

Configuration 3 [-]

AND

cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*

Configuration 11 [-]

OR	cpe:2.3:a:drupal:drupal::::::::
	cpe:2.3:a:drupal:drupal::::::::
	cpe:2.3:a:drupal:drupal::::::::

Configuration 12 [-]

cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:*

Configuration 13 [-]

OR	cpe:2.3:a:oracle:agile_plm:9.3.6:::::::*
	cpe:2.3:a:oracle:application_express::::::::
	cpe:2.3:a:oracle:banking_platform:2.9.0:::::::*
	cpe:2.3:a:oracle:banking_platform:2.12.0:::::::*
	cpe:2.3:a:oracle:big_data_spatial_and_graph::::::::
	cpe:2.3:a:oracle:big_data_spatial_and_graph:23.1:::::::*
	cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:::::::*
	cpe:2.3:a:oracle:communications_operations_monitor:4.3:::::::*
	cpe:2.3:a:oracle:communications_operations_monitor:4.4:::::::*
	cpe:2.3:a:oracle:communications_operations_monitor:5.0:::::::*
	cpe:2.3:a:oracle:hospitality_inventory_management:9.1.0:::::::*
	cpe:2.3:a:oracle:hospitality_materials_control:18.1:::::::*
	cpe:2.3:a:oracle:hospitality_suite8::::::::
	cpe:2.3:a:oracle:hospitality_suite8:8.10.2:::::::*
	cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools::::::::
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:::::::*
	cpe:2.3:a:oracle:policy_automation::::::::
	cpe:2.3:a:oracle:primavera_unifier::::::::
	cpe:2.3:a:oracle:primavera_unifier:18.8:::::::*
	cpe:2.3:a:oracle:primavera_unifier:19.12:::::::*
	cpe:2.3:a:oracle:primavera_unifier:20.12:::::::*
	cpe:2.3:a:oracle:primavera_unifier:21.12:::::::*
	cpe:2.3:a:oracle:rest_data_services:::::-:::*
	cpe:2.3:a:oracle:rest_data_services:22.1.1::::-:::
	cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*

Package	CPE	Advisory	Released Date
Red Hat Virtualization Engine 4.4
org.ovirt.engine-root-0:4.5.0.7-9	cpe:/a:redhat:rhev_manager:4.4:el8	RHSA-2022:4711	2022-05-26T00:00:00Z

References

Link	Providers
http://seclists.org/fulldisclosure/2024/Aug/37
https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280
https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/
https://nvd.nist.gov/vuln/detail/CVE-2021-41184
https://security.netapp.com/advisory/ntap-20211118-0004/
https://www.cve.org/CVERecord?id=CVE-2021-41184
https://www.drupal.org/sa-core-2022-001
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.tenable.com/security/tns-2022-09

History

Tue, 04 Nov 2025 16:30:00 +0000

Type	Values Removed	Values Added
References		http://seclists.org/fulldisclosure/2024/Aug/37

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-10-26T00:00:00.000Z

Updated: 2025-11-04T16:09:17.971Z

Reserved: 2021-09-15T00:00:00.000Z

Link: CVE-2021-41184

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-10-26T15:15:10.460

Modified: 2025-11-04T16:15:43.353

Link: CVE-2021-41184

Redhat

Severity : Moderate

Publid Date: 2021-10-25T00:00:00Z

Links: CVE-2021-41184 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object