CVE-2023-28800 — Cross-site Scripting in Client Connector

CWE-79 — Cross-site Scripting CWE-20 — Improper Input Validation3 documents3 sources

Severity

6.1MEDIUMNVD

CNA8.1

EPSS

0.2%

top 58.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zscaler Client Connector

Timeline

PublishedJun 22

Description

When using local accounts for administration, the redirect url parameter was not encoded correctly, allowing for an XSS attack providing admin login.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5zscaler/client_connector< 3.9 Mac, 3.7 Win, 1.9.3 iOS, 1.10.2 Android, 1.10.1 Chrome OS, 1.4 Linux

▶NVDzscaler/client_connector< 1.4+5

🔴Vulnerability Details

CVEList

Output encoding missing in redrurl parameter↗2023-06-22

▶

GHSA

GHSA-crh5-rq78-8m4h: When using local accounts for administration, the redirect url parameter was not encoded correctly, allowing for an XSS attack providing admin login↗2023-06-22

▶