CVE-2021-41184: 
JavaScript vulnerability analysis and mitigation

jQuery-UI, the official jQuery user interface library, was found to have a security vulnerability prior to version 1.13.0. The vulnerability (CVE-2021-41184) involves accepting the value of the of option of the .position() util from untrusted sources, which could potentially lead to execution of untrusted code (GitHub Advisory, jQuery Blog).

The vulnerability exists in the .position() utility function where any string value passed to the of option could be executed as untrusted code. The issue was fixed in jQuery UI 1.13.0 by ensuring that any string value passed to the of option is now treated as a CSS selector (GitHub Commit). The vulnerability has been assigned a CVSS score of 6.1 (MEDIUM) with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (Tenable Advisory).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information or addition or modification of data when untrusted input is processed through the .position() utility function (NetApp Advisory).

The primary mitigation is to upgrade to jQuery UI version 1.13.0 or later. For users unable to upgrade immediately, a workaround is available by not accepting the value of the of option from untrusted sources (GitHub Advisory).

The vulnerability was addressed as part of jQuery UI's 1.13.0 release, which focused on improving compatibility with recent jQuery versions. The jQuery UI team announced this security fix along with other improvements in their official blog post (jQuery Blog).