VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 26, 2021· Updated Nov 4, 2025

XSS in the `of` option of the `.position()` util

CVE-2021-41184

Description

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. A workaround is to not accept the value of the of option from untrusted sources.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

jQuery UI before 1.13.0 allows XSS via the `of` option of the `.position()` utility when sourced from untrusted input.

Vulnerability

The jQuery UI library prior to version 1.13.0 contains a cross-site scripting (XSS) vulnerability in the .position() utility. When the of option is supplied as a string from an untrusted source, it is passed directly to jQuery's selector engine without sanitization. This can allow injection of arbitrary HTML elements and JavaScript execution. The issue is fixed in jQuery UI 1.13.0, where any string value passed to the of option is now treated strictly as a CSS selector [1][2][4].

Exploitation

An attacker can exploit this vulnerability if they can control the value of the of option passed to the .position() utility. This typically requires the attacker to influence application code that accepts user input and directly passes it to .position(). No special network position or authentication is required beyond the ability to provide a crafted string. For example, an attacker could supply a string such as "", which, when processed by the vulnerable code, would create an HTML element and execute arbitrary JavaScript in the context of the user's session [4]. The exploitation is demonstrated in the unit test added in the fix [4].

Impact

Successful exploitation leads to arbitrary JavaScript execution within the browser of a user who views a page using the vulnerable .position() call. This can result in session hijacking, data theft, defacement, or other malicious actions, depending on the application context. The attack operates at the same privilege level as the user's session and does not provide direct server-side access [1][2][4].

Mitigation

The vulnerability is fixed in jQuery UI version 1.13.0, released on October 25, 2021 [1][2]. Users should upgrade to at least this version. As a workaround, applications should not accept the value of the of option from untrusted sources; any user-supplied value should be validated against an allowlist of known safe selectors or sanitized before use [1]. Multiple downstream products, such as Tenable.sc 5.21.0, have updated their bundled jQuery UI to a patched version [3].

References
  1. NVD - CVE-2021-41184
  2. jQuery UI 1.13.0 released | jQuery UI Blog
  3. [R1] Tenable.sc 5.21.0 Fixes Multiple Third-Party Vulnerabilities
  4. Position: Make sure `of` is treated as a CSS selector · jquery/jquery-ui@effa323

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
jquery-uinpm
< 1.13.01.13.0
org.webjars.npm:jquery-uiMaven
< 1.13.01.13.0
jQuery.UI.CombinedNuGet
< 1.13.01.13.0
jquery-ui-railsRubyGems
< 7.0.07.0.0

Affected products

51

Patches

1
effa323f1505

Position: Make sure `of` is treated as a CSS selector

https://github.com/jquery/jquery-uiMichał Gołębiowski-OwczarekMay 4, 2021via ghsa
commit
2 files changed · +25 2
  • tests/unit/position/core.js+19 1 modified
    @@ -113,7 +113,9 @@ QUnit.test( "positions", function( assert ) {
 } );
 
 QUnit.test( "of", function( assert ) {
-	assert.expect( 9 + ( scrollTopSupport() ? 1 : 0 ) );
+	assert.expect( 10 + ( scrollTopSupport() ? 1 : 0 ) );
+
+	var done = assert.async();
 
 	var event;
 
@@ -225,6 +227,21 @@ QUnit.test( "of", function( assert ) {
 		top: 600,
 		left: 400
 	}, "event - left top, right bottom" );
+
+	try {
+		$( "#elx" ).position( {
+			my: "left top",
+			at: "right bottom",
+			of: "<img onerror='window.globalOf=true' src='/404' />",
+			collision: "none"
+		} );
+	} catch ( e ) {}
+
+	setTimeout( function() {
+		assert.equal( window.globalOf, undefined, "of treated as a selector" );
+		delete window.globalOf;
+		done();
+	}, 500 );
 } );
 
 QUnit.test( "offsets", function( assert ) {
@@ -334,6 +351,7 @@ QUnit.test( "using", function( assert ) {
 			assert.deepEqual( position, expectedPosition, "correct position for call #" + count );
 			assert.deepEqual( feedback.element.element[ 0 ], elems[ count ] );
 			delete feedback.element.element;
+			delete feedback.target.element.prevObject;
 			assert.deepEqual( feedback, expectedFeedback );
 			count++;
 		}
  • ui/position.js+6 1 modified
    @@ -148,7 +148,12 @@ $.fn.position = function( options ) {
 	options = $.extend( {}, options );
 
 	var atOffset, targetWidth, targetHeight, targetOffset, basePosition, dimensions,
-		target = $( options.of ),
+
+		// Make sure string options are treated as CSS selectors
+		target = typeof options.of === "string" ?
+			$( document ).find( options.of ) :
+			$( options.of ),
+
 		within = $.position.getWithinInfo( options.within ),
 		scrollInfo = $.position.getScrollInfo( within ),
 		collision = ( options.collision || "flip" ).split( " " ),

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

29

News mentions

0

No linked articles in our index yet.