Vulnerability Detected: CVE-2024-30875 (Cross-site Scripting - XSS)

[goiaalexandru]

Package: jquery-ui@1.13.1 or above.
Vulnerability Title: [CVE-2024-30875] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerability Description:
A Cross-Site Scripting (XSS) vulnerability exists in jquery-ui@1.13.1, allowing a remote attacker to execute arbitrary code and potentially obtain sensitive information. This vulnerability is triggered via a crafted payload targeting the window.addEventListener component.

CVSS Score: 5.1 (Medium)
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVE: CVE-2024-30875

Extra: https://cvefeed.io/vuln/detail/CVE-2024-30875

Steps to Reproduce:

Use jquery-ui@1.13.1 or above in a web application.
Send a crafted payload to exploit the window.addEventListener component.
The payload is improperly neutralized, leading to XSS vulnerability.
Please consider patching this vulnerability in the next release.

Thank you!

[jasonparallel]

Was there an issue that was fixed in 1.13.2 but not included in the release notes (https://jqueryui.com/changelog/1.13.2/)?

[d-ellis]

I don't think there's anything to fix. The CVE proof of concept is so vague it can apply to any app, even if it doesn't use any dependencies. It boils down to "If you take user input and directly insert it into your page, bad things can happen" which is not a jquery-ui problem

[mgol]

This CVE looks bogus, I'm in the process of disputing it.

[mgol]

For now, I contacted Snyk and they already took it down from their database: https://security.snyk.io/package/npm/jquery-ui

[d-ellis]

@mgol I was going to wait until Monday for a response from the reporter and then figure out how to dispute it, but that saves me a job

[mgol]

I’ve submitted a CVE request to Mitre to reject this CVE, I’m waiting for a response now.

I was thinking about waiting for the response first, but the whole report looked so shady and people get bombarded by security requests now that I thought I should get the ball rolling ASAP.

[d-ellis]

I submitted a request to Sonatype and they have also removed it from their database

[riverar]

Thanks @mgol! US Gov. Information Assurance processes are claiming jQuery provided mitigation strategies (upgrading to latest jQuery UI). Have you been in touch with them or is this just (likely) a copy paste error?

[mgol]

I've released jQuery UI 1.14.1 today. But there's nothing there to address this report as there's nothing to address, it's bogus. I have not been in touch with them.

[riverar]

I'll handle pushing back in that channel and (hopefully) getting a correction out, thanks for confirming.

[mgroetan]

It's still being reported in Veracode. Anyone been in contact with them?