VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 26, 2021· Updated Feb 13, 2025

XSS in the `altField` option of the Datepicker widget

CVE-2021-41182

Description

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. A workaround is to not accept the value of the altField option from untrusted sources.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

jQuery UI Datepicker altField XSS vulnerability allows arbitrary code execution from untrusted input; fixed in 1.13.0.

## Vulnerability jQuery-UI prior to version 1.13.0 [1] contains a cross-site scripting (XSS) vulnerability in the Datepicker widget's altField option. When an attacker-controlled value is passed to this option, it is interpreted as HTML markup rather than a CSS selector, leading to potential execution of untrusted code [2]. Affected versions include all jQuery UI versions before 1.13.0 [1].

Exploitation

An attacker must be able to supply a string value to the altField option from an untrusted source, such as via user input or a crafted URL parameter [1]. No authentication is required if the attacker can manipulate the option value. The attacker can inject arbitrary HTML and JavaScript, which will be executed when the Datepicker is rendered [2]. The fix in version 1.13.0 treats the altField option as a CSS selector, preventing HTML injection [3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the user's browser session, leading to potential data theft, session hijacking, or other malicious actions [1][2]. The impact is limited by the browser's same-origin policy but can be severe if the attacker can interact with sensitive data within the page.

Mitigation

The vulnerability is fixed in jQuery UI version 1.13.0, released on October 26, 2021 [1][2]. Users should upgrade to this version or later. As a workaround, do not accept the value of the altField option from untrusted sources [1]. Drupal 7 users updated to version 7.86 to apply the fix [4].

References
  1. NVD - CVE-2021-41182
  2. jQuery UI 1.13.0 released | jQuery UI Blog
  3. Datepicker: Make sure altField is treated as a CSS selector by mgol · Pull Request #1954 · jquery/jquery-ui
  4. Drupal core - Moderately critical - Cross site scripting - SA-CORE-2022-002

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
jquery-uinpm
< 1.13.01.13.0
jQuery.UI.CombinedNuGet
< 1.13.01.13.0
jquery-ui-railsRubyGems
< 7.0.07.0.0
org.webjars.npm:jquery-uiMaven
< 1.13.01.13.0

Affected products

51

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

31

News mentions

0

No linked articles in our index yet.