CVE-2016-7103 — jQuery-UI vulnerable to Cross-site Scripting in dialog closeText

Description

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

How to fix CVE-2016-7103

To remediate CVE-2016-7103, upgrade the affected package to a fixed version below.

Debian/jqueryui—upgrade to 1.12.1+dfsg-1 or later
—upgrade to 1.12.0 or later
—upgrade to 1.12.0 or later
—upgrade to 1.12.0 or later
—upgrade to 6.0.0 or later

Is CVE-2016-7103 being exploited?

Low — EPSS is 1.8%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

from 0, < 1.12.1+dfsg-1
from 0, < 1.12.0
from 0, < 1.12.0
from 0, < 1.12.0
from 0, < 6.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (40)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-7103
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-7103
PATCHgithub.com/jquery/jquery-ui
WEBrhn.redhat.com/errata/RHSA-2016-2932.html
WEB