Zscaler: >> Client Connector Security Vulnerabilities
Zscaler Client Connector for Windows before 4.1 writes/deletes a configuration file inside specific folders on the disk. A malicious user can replace the folder and execute code as a privileged user.
CVSS Score
6.3
EPSS Score
0.0
Published
2023-10-23
An authentication bypass by spoofing of a device with a synthetic IP address is possible in Zscaler Client Connector on Windows, allowing a functionality bypass. This issue affects Client Connector: before 3.9.
CVSS Score
5.9
EPSS Score
0.0
Published
2023-10-23
An Improper Verification of Cryptographic Signature vulnerability in Zscaler Client Connector on Linux allows replacing binaries.This issue affects Linux Client Connector: before 1.4.0.105
CVSS Score
8.2
EPSS Score
0.0
Published
2023-10-23
An Improper Input Validation vulnerability in Zscaler Client Connector on Linux allows Privilege Escalation. This issue affects Client Connector: before 1.4.0.105
CVSS Score
6.7
EPSS Score
0.001
Published
2023-10-23
Zscaler Client Connector Installer on Windows before version 3.4.0.124 improperly handled directory junctions during uninstallation. A local adversary may be able to delete folders in an elevated context.
CVSS Score
4.4
EPSS Score
0.0
Published
2023-10-23
A URL parameter during login flow was vulnerable to injection. An attacker could insert a malicious domain in this parameter, which would redirect the user after auth and send the authorization token to the redirected domain.
CVSS Score
8.2
EPSS Score
0.001
Published
2023-06-22
When using local accounts for administration, the redirect url parameter was not encoded correctly, allowing for an XSS attack providing admin login.
CVSS Score
8.1
EPSS Score
0.002
Published
2023-06-22
The Zscaler Client Connector prior to 2.1.2.150 did not quote the search path for services, which allows a local adversary to execute code with system privileges.
CVSS Score
7.8
EPSS Score
0.001
Published
2021-07-15
The Zscaler Client Connector for Windows prior to 2.1.2.105 had a DLL hijacking vulnerability caused due to the configuration of OpenSSL. A local adversary may be able to execute arbitrary code in the SYSTEM context.
CVSS Score
7.8
EPSS Score
0.001
Published
2021-07-15
The Zscaler Client Connector for Windows prior to 2.1.2.74 had a stack based buffer overflow when connecting to misconfigured TLS servers. An adversary would potentially have been able to execute arbitrary code with system privileges.
CVSS Score
9.8
EPSS Score
0.011
Published
2021-07-15