When using local accounts for administration, the redirect url parameter was not encoded correctly, allowing for an XSS attack providing admin login.
zscaler client connector