CVE-2022-31160: 
JavaScript vulnerability analysis and mitigation

jQuery UI versions prior to 1.13.2 contain a Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-31160. The vulnerability was discovered in the checkboxradio widget functionality, where initializing a checkboxradio widget on an input enclosed within a label makes the parent label contents considered as the input label. The issue was disclosed in July 2022 and affects jQuery UI, a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery (jQuery Blog, GitHub Advisory).

The vulnerability occurs when calling .checkboxradio("refresh") on a widget where the initial HTML contains encoded HTML entities. During the refresh operation, these encoded HTML entities are erroneously decoded, which can lead to the execution of arbitrary JavaScript code. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (Ubuntu CVE).

Successful exploitation of this vulnerability could lead to the disclosure of sensitive information or the addition/modification of data through cross-site scripting attacks. When exploited, the vulnerability allows potentially executing JavaScript code in the context of the user's browser session (NetApp Security).

The vulnerability has been patched in jQuery UI version 1.13.2. As a workaround, users who can modify the initial HTML can wrap all the non-input contents of the label in a span element. For long-term mitigation, it is recommended to upgrade to jQuery UI version 1.13.2 or later (GitHub Advisory).

Multiple vendors and distributions have responded to this vulnerability by releasing security updates, including Fedora, Debian, and Ubuntu. NetApp has issued an advisory for their affected products and provided mitigation guidance (Fedora Update, Debian LTS).