Potential jquery-ui Vulnerability (CVE-2022-31160)

Hi there,

we continiously scan all our Products and Packages which we use in our Production Environment.
Afterwards we decide if a found CVE is vaiable or not. We have Matomo Version 4.10.1 in use and our Scanning Tool of Choice (Sonartype NexusIQ) found the following Vulnerability:

CVW-2022-31160: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31160
CVE CVE: https://cwe.mitre.org/data/definitions/79.html

Explanation (shortened):
The jquery-ui package is vulnerable to Cross-Site Scripting (XSS) attacks. In cases where the checkboxradio widget is initialized within a label element, the _getCreateOptions() function in checkboxradio.js will erroneously decode any encoded HTML elements within the label when the .checkboxradio( "refresh" ) function is invoked.

Calling .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the label in a span.

The application is vulnerable by using this component if users are able to manipulate the contents of label elements that also contain a checkboxradio widget.

So, I have to kind of evaluate, if this CVE is viable or not. Actually, I would say it´s not, cause Matomo doesn´t use the described functions or „label elements that contain a checkboxradio widget“.

Please let me know if I´m wrong. :wink:

Any Plans of Updating jQuery UI in future Releases?

Hi @OlliWu,

I just created a new issue for the vulnerability you discovered on the Matomo Github repo: