CVE-2021-33850

Published: Nov 19, 2021Modified: Jun 17, 2026

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

There is a Cross-Site Scripting vulnerability in Microsoft Clarity version 0.3. The XSS payload executes whenever the user changes the clarity configuration in Microsoft Clarity version 0.3. The payload is stored on the configuring project Id page.

Affected (1)

Products: Microsoft: Clarity

Microsoft

1 product

Clarity

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Microsoft Clarity	Version 0.3

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://cybersecurityworks.com/zerodays/cve-2021-33850-stored-cross-site-scripting-xss-in-wordpress-microsoft-clarity-plugin.html

Source: disclose@cybersecurityworks.com

ExploitThird Party Advisory

https://cybersecurityworks.com/zerodays/cve-2021-33850-stored-cross-site-scripting-xss-in-wordpress-microsoft-clarity-plugin.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.