CVE-2020-35204
Description
Reflected XSS in Quest Policy Authority version 8.1.2.200 allows attackers to inject malicious code into the browser via a specially crafted link to the PolicyAuthority/Common/FolderControl.jsp file via the unqID parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Quest Policy Authority 8.1.2.200 allows unauthenticated attackers to inject malicious JavaScript via the unqID parameter in FolderControl.jsp. Product is end-of-life with no patch.
Vulnerability
The vulnerability is a reflected cross-site scripting (XSS) issue in Quest Policy Authority for Unified Communications version 8.1.2.200. It resides in the PolicyAuthority/Common/FolderControl.jsp file, where the unqID parameter is reflected in the response without proper sanitization or encoding. An unauthenticated attacker can craft a malicious link containing JavaScript payload in the unqID parameter, which will be executed in the context of the victim's browser session. This affects the main application component and does not require prior authentication [1].
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted link to a victim, such as via email or by hosting it on a malicious site. The link targets the vulnerable endpoint with a payload in the unqID parameter. For example: https://target/PolicyAuthority/Common/FolderControl.jsp?unqID=. When the victim clicks the link, the injected script executes in their browser, potentially allowing the attacker to steal cookies, session tokens, or perform actions on behalf of the victim [1]. Additionally, certain payloads can cause HTTP 500 errors and persist in the user's session, amplifying the impact.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, cookie theft, defacement of the application interface, or redirection to malicious sites. Since the product is end-of-life and no patch is available, any organization still using this version is exposed. The attacker does not require any privileges or special access to trigger the vulnerability [1].
Mitigation
Quest Policy Authority for Unified Communications version 8.1.2.200 is end-of-life and has been unsupported for over seven years. The vendor has confirmed that no patches will be issued [1]. Organizations should upgrade to a supported alternative or discontinue use of the product. As a workaround, network-level protections such as web application firewalls (WAF) with rules to detect and block XSS payloads in the unqID parameter may reduce risk, but do not address the root cause.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Quest/Policy Authoritydescription
- Range: =8.1.2.200
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.