VulnerableCode Package Details - pkg:maven/org.webjars.npm/jquery-ui@1.13.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-969e-x2hw-yuae Aliases: CVE-2022-31160 GHSA-h6gj-6jjq-h8g9	jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label ### Impact Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code. For example, starting with the following initial secure HTML: ```html <label> <input id="test-input"> <img src=x onerror="alert(1)"> </label> ``` and calling: ```javascript $( "#test-input" ).checkboxradio(); $( "#test-input" ).checkboxradio( "refresh" ); ``` will turn the initial HTML into: ```html <label> <!-- some jQuery UI elements --> <input id="test-input"> <img src=x onerror="alert(1)"> </label> ``` and the alert will get executed. ### Patches The bug has been patched in jQuery UI 1.13.2. ### Workarounds To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the `label` in a `span`: ```html <label> <input id="test-input"> <span><img src=x onerror="alert(1)"></span> </label> ``` ### References https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/ ### For more information If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery UI repo](https://github.com/jquery/jquery-ui/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc). If you don't find an answer, open a new issue.	1.13.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-969e-x2hw-yuae
Aliases:
CVE-2022-31160
GHSA-h6gj-6jjq-h8g9

jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label ### Impact Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code. For example, starting with the following initial secure HTML: ```html <label> <input id="test-input"> <img src=x onerror="alert(1)"> </label> ``` and calling: ```javascript $( "#test-input" ).checkboxradio(); $( "#test-input" ).checkboxradio( "refresh" ); ``` will turn the initial HTML into: ```html <label>  <input id="test-input"> <img src=x onerror="alert(1)"> </label> ``` and the alert will get executed. ### Patches The bug has been patched in jQuery UI 1.13.2. ### Workarounds To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the `label` in a `span`: ```html <label> <input id="test-input"> <span><img src=x onerror="alert(1)"></span> </label> ``` ### References https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/ ### For more information If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery UI repo](https://github.com/jquery/jquery-ui/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc). If you don't find an answer, open a new issue.

1.13.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T10:42:33.593255+00:00	GitLab Importer	Affected by	VCID-969e-x2hw-yuae	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.webjars.npm/jquery-ui/CVE-2022-31160.yml	37.0.0

2025-08-01T10:42:33.593255+00:00

GitLab Importer

Affected by

VCID-969e-x2hw-yuae

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.webjars.npm/jquery-ui/CVE-2022-31160.yml

37.0.0

Next non-vulnerable version	1.13.2
Latest non-vulnerable version	1.13.2
Risk	3.1