SCA: security update for jQuery.UI.Combined, jquery-ui, jquery-ui-rails, org.webjars.npm:jquery-ui (GHSA-h6gj-6jjq-h8g9)

medium Tenable Self-Hosted Container Security Plugin ID 415522

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of
jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a
checkboxradio widget on an input enclosed within a label makes that parent label contents considered as
the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained
encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing
JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can
change the initial HTML can wrap all the non-input contents of the `label` in a `span`. (CVE-2022-31160)

See Also

https://github.com/advisories/GHSA-h6gj-6jjq-h8g9

Plugin Details

Severity: Medium

ID: 415522

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2022-31160

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/18/2022

Vulnerability Publication Date: 7/15/2022

Reference Information

CVE: CVE-2022-31160

cwe: CWE-79