Control: tags -1 + moreinfo On Tue, 2021-11-09 at 08:25 +0100, Salvatore Bonaccorso wrote: > Hi, > > On Mon, Nov 08, 2021 at 12:27:03PM +0100, Yadd wrote: [...] > > Jquery-UI is the official jQuery user interface library. Prior to > > version > > 1.13.0, accepting the value of the `of` option of the `.position()` > > util > > from untrusted sources may execute untrusted code. The issue is > > fixed in > > jQuery UI 1.13.0. Any string value passed to the `of` option is now > > treated > > as a CSS selector. A workaround is to not accept the value of the > > `of` > > option from untrusted sources. (CVE-2021-41184) > > AFAICS there are two more CVEs for jqueryui which wree fixed in > 1.13.0 > and so covered in unstable already. Can those be backported as well > or > are they too intrusive? >
Quick ping on this. Regards, Adam
