CVE-2021-41184

MEDIUM

jQuery UI < 1.13.0 - Cross-Site Scripting via Position Utility 'of' Option

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-41184. PoCs published by gabrielolivra, CoderDias.

AI-analyzed exploit summary This PoC demonstrates a Cross-Site Scripting (XSS) vulnerability in jQuery UI v1.12.1 via the `of` option in the `.position()` utility. The exploit injects malicious HTML through the `of` parameter, triggering XSS when the position method is called.

Description

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.

Exploits (2)

nomisec WORKING POC 6 stars
by gabrielolivra · poc
https://github.com/gabrielolivra/Exploit-Medium-CVE-2021-41184

This PoC demonstrates a Cross-Site Scripting (XSS) vulnerability in jQuery UI v1.12.1 via the `of` option in the `.position()` utility. The exploit injects malicious HTML through the `of` parameter, triggering XSS when the position method is called.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: jQuery UI v1.12.1
No auth needed
Prerequisites: A webpage using jQuery UI v1.12.1 · An element with a known ID to target
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by CoderDias · poc
https://github.com/CoderDias/CVE-POCs/tree/main/CVE-2021-41184

This repository contains a functional proof-of-concept for CVE-2021-41184, demonstrating an XSS vulnerability in jQuery-UI versions prior to 1.13.0. The exploit leverages the untrusted `of` option in the `.position()` utility to execute arbitrary JavaScript code via a crafted HTML string.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: jQuery-UI < 1.13.0
No auth needed
Prerequisites: Browser with jQuery-UI < 1.13.0 loaded · Ability to execute JavaScript in the browser context
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (15)

Core 15
Core References
Patch, Release Notes, Third Party Advisory
https://www.tenable.com/security/tns-2022-09

Scores

CVSS v3 6.5
EPSS 0.3110
EPSS Percentile 96.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE
CWE-79
Status published
Products (47)
drupal/drupal 7.0 - 7.86
fedoraproject/fedora 33
fedoraproject/fedora 34
fedoraproject/fedora 35
fedoraproject/fedora 36
jqueryui/jquery_ui < 1.13.0
netapp/h300e_firmware
netapp/h300s_firmware
netapp/h410c_firmware
netapp/h410s_firmware
... and 37 more
Published Oct 26, 2021
Tracked Since Feb 18, 2026