cvedb.io
CVE-2021-32859
MEDIUM · CVSS 6.1
EPSS exploitation probability: 0%
Published 2023-02-21T15:15:11.787 · Last modified 2026-06-17T03:53:46.533

Summary

The Baremetrics date range picker is a solution for selecting both date ranges and single dates from a single calender view. Versions 1.0.14 and prior are prone to cross-site scripting (XSS) when handling untrusted `placeholder` entries. An attacker who is able to influence the field `placeholder` when creating a `Calendar` instance is able to supply arbitrary `html` or `javascript` that will be rendered in the context of a user leading to XSS. There are no known patches for this issue.

Affected products

baremetrics — date_range_picker

Does this affect you?

Add your gear to cvedb and we'll alert you only when baremetrics ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.