Cloud security vendor Zscaler has fixed a cross-site-scripting (XSS) vulnerability in the admin portal which it built for customers to manage the product.
Zscaler published an advisory alert users to the issue, which is now solved:
“Zscaler has addressed persistent XSS vulnerabilities identified in admin.zscaler[X].net and mobile.zscaler[X].net portals. The post-auth vulnerabilities would have allowed authenticated admin users to inject client-side content into certain admin UI pages, which could impact other admin users of the same company.”
The bug means anyone logged into the website could have inserted malicious code into the browsers of others Zscaler users, which would have facilitated account hijacking, allowing the criminal to perform the same actions as their victim.
Zscaler said this issue would only put users from the same company, ie co-workers, at risk.
The company thanked security researcher Alex Haynes for alerting them to the issue. In 2016 the researcher found similar vulnerabilities in Forcepoint technology.