Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:nuget/jQuery.UI.Combined@1.13.1

Type nuget

Namespace

Name jQuery.UI.Combined

Version 1.13.1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.13.2

Latest_non_vulnerable_version 1.13.2

Affected_by_vulnerabilities

url VCID-kuee-hxg5-qqgt

vulnerability_id VCID-kuee-hxg5-qqgt

summary

jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label
### Impact
Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
```html
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
```
and calling:
```js
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
```
will turn the initial HTML into:
```html
<label>
	<!-- some jQuery UI elements -->
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
```
and the alert will get executed.

### Patches
The bug has been patched in jQuery UI 1.13.2.

### Workarounds
To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the `label` in a `span`:
```html
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
```

### References
https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

### For more information
If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery UI repo](https://github.com/jquery/jquery-ui/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc). If you don't find an answer, open a new issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-31160.json

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-31160.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-31160

reference_id

reference_type

scores

value	0.10183
scoring_system	epss
scoring_elements	0.93104
published_at	2026-04-02T12:55:00Z

value	0.10183
scoring_system	epss
scoring_elements	0.93123
published_at	2026-04-13T12:55:00Z

value	0.10183
scoring_system	epss
scoring_elements	0.93122
published_at	2026-04-12T12:55:00Z

value	0.10183
scoring_system	epss
scoring_elements	0.93106
published_at	2026-04-07T12:55:00Z

value	0.10183
scoring_system	epss
scoring_elements	0.93119
published_at	2026-04-09T12:55:00Z

value	0.10183
scoring_system	epss
scoring_elements	0.93107
published_at	2026-04-04T12:55:00Z

value	0.10183
scoring_system	epss
scoring_elements	0.93114
published_at	2026-04-08T12:55:00Z

value	0.10183
scoring_system	epss
scoring_elements	0.93124
published_at	2026-04-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-31160

reference_url

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31160
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31160

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/jquery/jquery-ui

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/jquery/jquery-ui

reference_url

https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:27Z/

url

https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9

reference_url

https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:27Z/

url

https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9

reference_url

https://github.com/jquery-ui-rails/jquery-ui-rails/blob/master/VERSIONS.md

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/jquery-ui-rails/jquery-ui-rails/blob/master/VERSIONS.md

reference_url

https://github.com/jquery-ui-rails/jquery-ui-rails/releases/tag/v8.0.0-release

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/jquery-ui-rails/jquery-ui-rails/releases/tag/v8.0.0-release

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-ui-rails/CVE-2022-31160.yml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-ui-rails/CVE-2022-31160.yml

reference_url

https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:27Z/

url

https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-31160

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-31160

reference_url

https://security.netapp.com/advisory/ntap-20220909-0007

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20220909-0007

reference_url

https://www.drupal.org/sa-contrib-2022-052

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:27Z/

url

https://www.drupal.org/sa-contrib-2022-052

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015982
reference_id	1015982
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015982

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2110705
reference_id	2110705
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2110705

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD/

reference_id

6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:27Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD/

reference_url

https://github.com/advisories/GHSA-h6gj-6jjq-h8g9

reference_id

GHSA-h6gj-6jjq-h8g9

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-h6gj-6jjq-h8g9

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO/

reference_id

J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:27Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO/

reference_url

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

reference_id

jquery-ui-1-13-2-released

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:27Z/

url

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

reference_url

https://security.netapp.com/advisory/ntap-20220909-0007/

reference_id

ntap-20220909-0007

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:27Z/

url

https://security.netapp.com/advisory/ntap-20220909-0007/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6/

reference_id

QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:27Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6/

reference_url	https://usn.ubuntu.com/6419-1/
reference_id	USN-6419-1
reference_type
scores
url	https://usn.ubuntu.com/6419-1/

reference_url	https://usn.ubuntu.com/USN-5181-1/
reference_id	USN-USN-5181-1
reference_type
scores
url	https://usn.ubuntu.com/USN-5181-1/

fixed_packages

url	pkg:nuget/jQuery.UI.Combined@1.13.2
purl	pkg:nuget/jQuery.UI.Combined@1.13.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:nuget/jQuery.UI.Combined@1.13.2

aliases CVE-2022-31160, GHSA-h6gj-6jjq-h8g9

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kuee-hxg5-qqgt

Fixing_vulnerabilities

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/jQuery.UI.Combined@1.13.1

Package Instance