Injection Vulnerability in Zscaler Client Connector for Multiple Platforms
CVE-2023-28799

8.2HIGH

Key Information:

Vendor: Zscaler
Status: Client Connector
Vendor: CVE Published:; 22 June 2023

What is CVE-2023-28799?

An injection vulnerability exists in the Zscaler Client Connector, where a URL parameter used during the login flow is susceptible to exploitation. Attackers can craft a malicious URL, inserting their domain into this parameter. Upon user authentication, the application redirects users to the malicious domain, potentially exposing the user's authorization token. This vulnerability underscores the importance of secure coding practices to prevent unauthorized access and potential data breaches.

Affected Version(s)

Client Connector Windows 0 < 3.9 Mac, 3.7 Win, 1.9.3 iOS, 1.10.2 Android, 1.10.1 Chrome OS, 1.4 Linux

References

https://help.zscaler.com/zscaler-client-connector/client-...

https://help.zscaler.com/client-connector/client-connecto...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2023
Vulnerability Reserved
Mar 23, 2023

Credit

Tesla Red Team