Tricksy bugs in Zscaler admin portal let you ruin a coworker's day
Cloudy with a chance of XSS
Cloud management software peddler Zscaler has plugged cross-site scripting holes in the admin portal it provides to customers.
In an advisory on the flaws published this week, the biz acknowledged the bugs while playing down the threat. It suggested its programming blunders would only put at risk users within the same company. In other words, you could only inject code into the webpages of your coworkers while they were using Zscaler's admin portal. The Silicon Valley-based biz explained:
Zscaler has addressed persistent XSS vulnerabilities identified in admin.zscaler[X].net and mobile.zscaler[X].net portals. The post-auth vulnerabilities would have allowed authenticated admin users to inject client-side content into certain admin UI pages, which could impact other admin users of the same company.
Zscaler credited security researcher Alex Haynes with discovering the flaws.
Haynes previously unearthed cross-site scripting vulnerabilities within services from Forcepoint, another cloud software player. These flaws were resolved last October.
Cross-site scripting flaws are one of the most common classes of web vulnerabilities. Here's a handy cheat sheet on how to program your web app to avoid one of these security shortcoming. ®