CVE-2022-31160 MEDIUM

CVE-2022-31160: jQuery UI contains potential XSS vulnerability when refreshing a checkboxradio with an HTML-like initial text label

Vendor Jquery
Product jquery-ui
Weakness CWE-79 · XSS
Published July 20, 2022
Last update April 22, 2025
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.

Key dates

02Disclosure timeline

July 20, 2022 CVE published
April 22, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-48560 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2024-41675 CKAN has a Cross-site Scripting vector in the Datatables view plugin CVE-2026-10228 raisulislamg4 student_management_system_by_php admission_form_check.php cross site scripting CVE-2025-30625 WordPress AppBanners plugin <= 1.5.14 - Cross Site Scripting (XSS) Vulnerability CVE-2025-50041 WordPress Gutenberg Blocks – ACF Blocks Suite plugin <= 2.6.11 - Cross Site Scripting (XSS) Vulnerability