U.S. Computer Emergency Response Team (US-CERT) says clientless SSL VPN products from multiple vendors are confirmed vulnerable. This security problem, discussed since at least 2006, could let an attacker could use these devices to bypass authentication or conduct other web-based attacks. The problem is that there is no solution to this problem. Depending on their specific configuration and location in the network these devices may be impossible to operate securely. Administrators are urged to consider the following workarounds:Limit URL rewriting to trusted domains.
Source: https://threatpost.com/clientless-ssl-vpns-break-web-browser-security-models-120109/73175/