CVE-2023-28799: Input Validation
First published: Thu Jun 22 2023(Updated: )
A URL parameter during login flow was vulnerable to injection. An attacker could insert a malicious domain in this parameter, which would redirect the user after auth and send the authorization token to the redirected domain.
Credit: cve@zscaler.com cve@zscaler.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Zscaler Client Connector | <1.4 | |
| zscaler client connector iphone os | <1.9.3 | |
| zscaler client connector chrome os | <1.10.1 | |
| zscaler client connector android | <1.10.2 | |
| Zscaler Client Connector Windows | <3.7 | |
| Zscaler Client Connector | <3.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://help.zscaler.com/client-connector/client-connector-app-release-summary-2022?applicable_category=Linux&applicable_version=1.4&deployment_date=2022-10-31&id=1420246
- https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Android&applicable_version=1.10.2&deployment_date=2023-03-09&id=1447706
- https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Chrome%20OS&applicable_version=1.10.1&deployment_date=2023-03-10&id=1447771
- https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=iOS&applicable_version=1.9.3&deployment_date=2023-03-03&id=1447071
- https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=macOS&applicable_version=3.9&deployment_date=2023-01-25&id=1443546
- https://help.zscaler.com/zscaler-client-connector/client-connector-app-release-summary-2021?applicable_category=Windows&applicable_version=3.7&deployment_date=2021-11-26&id=1386541
Frequently Asked Questions
What is CVE-2023-28799?
CVE-2023-28799 is a vulnerability in Zscaler Client Connector that allows an attacker to insert a malicious domain into a URL parameter during the login flow, which could redirect the user and send the authorization token to the redirected domain.
What software is affected by CVE-2023-28799?
Zscaler Client Connector versions up to 1.4 for Linux, up to 1.9.3 for iPhone OS, up to 1.10.1 for Chrome OS, up to 1.10.2 for Android, up to 3.7 for Windows, and up to 3.9 for macOS are affected by CVE-2023-28799.
What is the severity of CVE-2023-28799?
CVE-2023-28799 has a severity rating of 6.1 out of 10, indicating a high level of risk.
How can I mitigate the vulnerability?
To mitigate the vulnerability, it is recommended to update Zscaler Client Connector to the latest version as provided by Zscaler.
Where can I find more information about CVE-2023-28799?
You can find more information about CVE-2023-28799 on the Zscaler website: [link].
- agent/references
- agent/type
- agent/severity
- agent/first-publish-date
- agent/event
- agent/weakness
- agent/description
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/zscaler
- canonical/zscaler client connector
- canonical/zscaler client connector iphone os
- canonical/zscaler client connector chrome os
- canonical/zscaler client connector android
- canonical/zscaler client connector windows