Baremetrics date range picker vulnerable to Cross-site Scripting
Description
The Baremetrics date range picker is a solution for selecting both date ranges and single dates from a single calender view. Versions 1.0.14 and prior are prone to cross-site scripting (XSS) when handling untrusted placeholder entries. An attacker who is able to influence the field placeholder when creating a Calendar instance is able to supply arbitrary html or javascript that will be rendered in the context of a user leading to XSS. There are no known patches for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
baremetrics-calendarnpm | <= 1.0.14 | — |
Affected products
2- Baremetrics/baremetrics-calendarv5Range: 1.0.14
Patches
Vulnerability mechanics
Root cause
"Improper neutralization of user-controllable `placeholder` input before it is concatenated into an HTML string and appended to the DOM."
Attack vector
An attacker who can control the `placeholder` field when creating a `Calendar` instance can inject arbitrary HTML or JavaScript [ref_id=2]. The `placeholder` value is concatenated unsanitized into an HTML string that is appended to the DOM via `this.element.append(...)` [ref_id=2]. Because the input is not neutralized before being placed into the web page, the attacker's payload executes in the context of the user's session, leading to cross-site scripting (XSS) [CWE-79].
Affected code
The vulnerable code is in `Calendar.js` at the point where the `placeholder` property is concatenated directly into an HTML string. Specifically, the line `'
What the fix does
No patch is available for this issue [ref_id=1]. The project is no longer maintained, and the maintainer was contacted but no fix was released [ref_id=2]. Users should avoid passing untrusted input to the `placeholder` parameter, or switch to an alternative date-range picker library that properly sanitizes user-controlled values before rendering them in HTML.
Preconditions
- inputAttacker must be able to influence the `placeholder` field when a `Calendar` instance is created (e.g., via user-supplied configuration or stored data that feeds into the constructor).
- networkThe victim must visit a page that renders the crafted `Calendar` instance with the attacker-controlled `placeholder`.
Reproduction
Create a `Calendar` instance with a malicious `placeholder` value. For example:
``` var ss = new Calendar({ element: $('.daterange--single'), format: {input: 'YYYY'}, placeholder: 'Foobar">
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-465f-mxxh-grc4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32859ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2021-1042_Baremetrics_Date_Range_PickerghsaADVISORY
- github.com/Baremetrics/calendar/blob/240c20134ffbf0f0f246a50feff2be1ff19cf349/public/js/Calendar.jsghsaWEB
- securitylab.github.com/advisories/GHSL-2021-1042_Baremetrics_Date_Range_Picker/mitre
News mentions
0No linked articles in our index yet.