This article is more than 1 year old

Tricksy bugs in Zscaler admin portal let you ruin a coworker's day

Cloudy with a chance of XSS

Cloud management software peddler Zscaler has plugged cross-site scripting holes in the admin portal it provides to customers.

People logged into the website could have exploited the bugs to inject malicious HTML and JavaScript into the browsers of other users of the site, allowing them to take over their accounts and perform actions as their victims.

In an advisory on the flaws published this week, the biz acknowledged the bugs while playing down the threat. It suggested its programming blunders would only put at risk users within the same company. In other words, you could only inject code into the webpages of your coworkers while they were using Zscaler's admin portal. The Silicon Valley-based biz explained:

Zscaler has addressed persistent XSS vulnerabilities identified in admin.zscaler[X].net and mobile.zscaler[X].net portals. The post-auth vulnerabilities would have allowed authenticated admin users to inject client-side content into certain admin UI pages, which could impact other admin users of the same company.

Zscaler credited security researcher Alex Haynes with discovering the flaws.

Haynes previously unearthed cross-site scripting vulnerabilities within services from Forcepoint, another cloud software player. These flaws were resolved last October.

Cross-site scripting flaws are one of the most common classes of web vulnerabilities. Here's a handy cheat sheet on how to program your web app to avoid one of these security shortcoming. ®

More about


Send us news

Other stories you might like