Cloud security vendor Zscaler has fixed a cross-site-scripting (XSS) vulnerability in the admin portal which it built for customers to manage the product.
Zscaler published an advisory alert users to the issue, which is now solved:
“Zscaler has addressed persistent XSS vulnerabilities identified in admin.zscaler[X].net and mobile.zscaler[X].net portals. The post-auth vulnerabilities would have allowed authenticated admin users to inject client-side content into certain admin UI pages, which could impact other admin users of the same company.”
The bug means anyone logged into the website could have inserted malicious code into the browsers of others Zscaler users, which would have facilitated account hijacking, allowing the criminal to perform the same actions as their victim.
Zscaler said this issue would only put users from the same company, ie co-workers, at risk.
The company thanked security researcher Alex Haynes for alerting them to the issue. In 2016 the researcher found similar vulnerabilities in Forcepoint technology.
Michael Sutton, CISO at Zscaler told SC Media UK: "While the attack surface in this scenario is quite limited given that the XSS vulns were post auth, we take all vulnerability reports seriously. An attack in this case would have either needed an existing customer admin account to exploit, or the attacker would have needed to target an already logged in administrator."
Sutton added: "We sincerely appreciated the fact that Alex not only brought these issues to our attention but worked with us while we resolved the issues and then validated the patches. It is important to us that we be fully transparent with vulnerability reports and that external researchers know that we will fully investigate their reports and credit them for their efforts."