Vulnerability Details CVE-2021-32859
The Baremetrics date range picker is a solution for selecting both date ranges and single dates from a single calender view. Versions 1.0.14 and prior are prone to cross-site scripting (XSS) when handling untrusted `placeholder` entries. An attacker who is able to influence the field `placeholder` when creating a `Calendar` instance is able to supply arbitrary `html` or `javascript` that will be rendered in the context of a user leading to XSS. There are no known patches for this issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 44.4%
CVSS Severity
CVSS v3 Score 6.1
References
- https://github.com/Baremetrics/calendar/blob/240c20134ffbf0f0f246a50feff2be1ff19cf349/public/js/Calendar.js#L724
- https://securitylab.github.com/advisories/GHSL-2021-1042_Baremetrics_Date_Range_Picker/
- https://github.com/Baremetrics/calendar/blob/240c20134ffbf0f0f246a50feff2be1ff19cf349/public/js/Calendar.js#L724
- https://securitylab.github.com/advisories/GHSL-2021-1042_Baremetrics_Date_Range_Picker/
Products affected by CVE-2021-32859
-
cpe:2.3:a:baremetrics:date_range_picker:1.0.1
-
cpe:2.3:a:baremetrics:date_range_picker:1.0.10
-
cpe:2.3:a:baremetrics:date_range_picker:1.0.11
-
cpe:2.3:a:baremetrics:date_range_picker:1.0.12
-
cpe:2.3:a:baremetrics:date_range_picker:1.0.13
-
cpe:2.3:a:baremetrics:date_range_picker:1.0.14
-
cpe:2.3:a:baremetrics:date_range_picker:1.0.2
-
cpe:2.3:a:baremetrics:date_range_picker:1.0.3
-
cpe:2.3:a:baremetrics:date_range_picker:1.0.4
-
cpe:2.3:a:baremetrics:date_range_picker:1.0.5
-
cpe:2.3:a:baremetrics:date_range_picker:1.0.6
-
cpe:2.3:a:baremetrics:date_range_picker:1.0.7
-
cpe:2.3:a:baremetrics:date_range_picker:1.0.8
-
cpe:2.3:a:baremetrics:date_range_picker:1.0.9