Description
When using local accounts for administration, the redirect url parameter was not encoded correctly, allowing for an XSS attack providing admin login.
Problem types
CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Product status
Any version before 3.9 Mac, 3.7 Win, 1.9.3 iOS, 1.10.2 Android, 1.10.1 Chrome OS, 1.4 Linux
Credits
Tesla Red Team
References
help.zscaler.com/....7&deployment_date=2021-11-26&id=1386541
help.zscaler.com/....1&deployment_date=2023-03-10&id=1447771
help.zscaler.com/....2&deployment_date=2023-03-09&id=1447706
help.zscaler.com/....3&deployment_date=2023-03-03&id=1447071
help.zscaler.com/....4&deployment_date=2022-10-31&id=1420246
help.zscaler.com/....9&deployment_date=2023-01-25&id=1443546
help.zscaler.com/....7&deployment_date=2021-11-26&id=1386541
help.zscaler.com/....1&deployment_date=2023-03-10&id=1447771
help.zscaler.com/....2&deployment_date=2023-03-09&id=1447706
help.zscaler.com/....3&deployment_date=2023-03-03&id=1447071
help.zscaler.com/....4&deployment_date=2022-10-31&id=1420246
help.zscaler.com/....9&deployment_date=2023-01-25&id=1443546
