CVE-2023-28799

HIGH

Login Flow - Open Redirect

Title source: llm

Description

A URL parameter during login flow was vulnerable to injection. An attacker could insert a malicious domain in this parameter, which would redirect the user after auth and send the authorization token to the redirected domain.

References (6)

[Release Notes] https://help.zscaler.com/client-connector/client-connector-app-release-summary-2022?applicable_category=Linux&applicable_version=1.4&deployment_date=2022-10-31&id=1420246

[Release Notes] https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Android&applicable_version=1.10.2&deployment_date=2023-03-09&id=1447706

[Release Notes] https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Chrome%20OS&applicable_version=1.10.1&deployment_date=2023-03-10&id=1447771

[Release Notes] https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=iOS&applicable_version=1.9.3&deployment_date=2023-03-03&id=1447071

[Release Notes] https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=macOS&applicable_version=3.9&deployment_date=2023-01-25&id=1443546

[Release Notes] https://help.zscaler.com/zscaler-client-connector/client-connector-app-release-summary-2021?applicable_category=Windows&applicable_version=3.7&deployment_date=2021-11-26&id=1386541

Scores

CVSS v3 8.2

EPSS 0.0015

EPSS Percentile 35.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-601 CWE-1287

Status published

Products (6)

zscaler/client_connector < 1.10.1

zscaler/client_connector < 1.10.2

zscaler/client_connector < 1.4

zscaler/client_connector < 1.9.3

zscaler/client_connector < 3.7

zscaler/client_connector < 3.9

Published Jun 22, 2023

Tracked Since Feb 18, 2026