8.2
CVE-2023-28799
- EPSS 0.11%
- Published 22.06.2023 20:15:09
- Last modified 21.11.2024 07:56:02
- Source cve@zscaler.com
- Teams watchlist Login
- Open Login
A URL parameter during login flow was vulnerable to injection. An attacker could insert a malicious domain in this parameter, which would redirect the user after auth and send the authorization token to the redirected domain.
Data is provided by the National Vulnerability Database (NVD)
Zscaler ≫ Client Connector SwPlatformlinux Version < 1.4
Zscaler ≫ Client Connector SwPlatformiphone_os Version < 1.9.3
Zscaler ≫ Client Connector SwPlatformchrome_os Version < 1.10.1
Zscaler ≫ Client Connector SwPlatformandroid Version < 1.10.2
Zscaler ≫ Client Connector SwPlatformwindows Version < 3.7
Zscaler ≫ Client Connector SwPlatformmacos Version < 3.9
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.11% | 0.308 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| cve@zscaler.com | 8.2 | 1.8 | 5.8 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
|
CWE-1287 Improper Validation of Specified Type of Input
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.