CVE-2021-41182: 
JavaScript vulnerability analysis and mitigation

jQuery-UI, the official jQuery user interface library, was found to contain a security vulnerability prior to version 1.13.0 where accepting the value of the altField option of the Datepicker widget from untrusted sources could lead to execution of untrusted code. The vulnerability was discovered and disclosed in October 2021 (jQuery Blog, GitHub Advisory).

The vulnerability exists in the Datepicker widget's altField option implementation where untrusted input could be executed as code instead of being treated as a CSS selector. This vulnerability has been assigned CVE-2021-41182 and received a CVSS v3.1 base score of 6.1 (MEDIUM) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating it requires user interaction to exploit and can potentially lead to information disclosure and data modification (NetApp Advisory).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information or addition/modification of data when a user interacts with a maliciously crafted Datepicker widget implementation (NetApp Advisory).

The vulnerability was fixed in jQuery UI version 1.13.0 by ensuring any string value passed to the altField option is treated as a CSS selector. For versions prior to 1.13.0, a workaround is to not accept the value of the altField option from untrusted sources (GitHub Advisory, jQuery Blog).