CVE-2023-28799 — Improper Validation of Specified Type of Input in Client Connector

CWE-1287 — Improper Validation of Specified Type of Input CWE-601 — Open Redirect CWE-20 — Improper Input Validation3 documents3 sources

Severity

6.1MEDIUMNVD

CNA8.2

EPSS

0.1%

top 65.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zscaler Client Connector

Timeline

PublishedJun 22

Description

A URL parameter during login flow was vulnerable to injection. An attacker could insert a malicious domain in this parameter, which would redirect the user after auth and send the authorization token to the redirected domain.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5zscaler/client_connector< 3.9 Mac, 3.7 Win, 1.9.3 iOS, 1.10.2 Android, 1.10.1 Chrome OS, 1.4 Linux

▶NVDzscaler/client_connector< 1.4+5

🔴Vulnerability Details

CVEList

CVE-2023-28799: A URL parameter during login flow was vulnerable to injection↗2023-06-22

▶

GHSA

GHSA-frc9-g2r4-48w5: A URL parameter during login flow was vulnerable to injection↗2023-06-22

▶