CVE-2020-35203
Description
Reflected XSS in Web Compliance Manager in Quest Policy Authority version 8.1.2.200 allows attackers to inject malicious code into the browser via a specially crafted link to the initFile.jsp file via the msg parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Quest Policy Authority Web Compliance Manager allows unauthenticated attackers to execute arbitrary JavaScript via crafted link to initFile.jsp.
Vulnerability
The vulnerability is a reflected cross-site scripting (XSS) in the initFile.jsp endpoint of the Web Compliance Manager component in Quest Policy Authority for Unified Communications version 8.1.2.200. The msg parameter is reflected in the response without sanitization or encoding, allowing injection of arbitrary HTML and JavaScript. No authentication is required to trigger the vulnerability. [1]
Exploitation
An attacker can craft a malicious URL containing a JavaScript payload in the msg parameter, e.g., ?msg=. When a victim clicks the link, the script executes in the context of the application's origin. No prior authentication or special privileges are needed. [1]
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, credential theft, or defacement. The attack is limited to the browser context of the application; however, because the product is end-of-life and unsupported, no patch is available. [1]
Mitigation
Quest has confirmed that Policy Authority for Unified Communications version 8.1.2.200 is end-of-life and has been unsupported for over seven years. No patches will be issued. The only mitigation is to decommission or replace the product with a supported alternative. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Quest/Policy Authoritydescription
- Range: = 8.1.2.200
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.