Baremetrics date range picker vulnerable to Cross-site Scripting

The Baremetrics date range picker is a solution for selecting both date ranges and single dates from a single calender view. Versions 1.0.14 and prior are prone to cross-site scripting (XSS) when handling untrusted `placeholder` entries. An attacker who is able to influence the field `placeholder` when creating a `Calendar` instance is able to supply arbitrary `html` or `javascript` that will be rendered in the context of a user leading to XSS. There are no known patches for this issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Baremetrics calendar 跨站脚本漏洞

calendar是Baremetrics开源的一个 Baremetrics 的日期范围选择器。 Baremetrics calendar 1.0.14及之前版本存在安全漏洞，该漏洞源于处理不受信任的条目时容易受到跨站脚本(XSS)攻击，攻击者利用该漏洞可以在用户上下文中执行任意HTML或Javascript代码。

N/A

N/A