CVE-2020-35205
Description
Server Side Request Forgery (SSRF) in Web Compliance Manager in Quest Policy Authority version 8.1.2.200 allows attackers to scan internal ports and make outbound connections via the initFile.jsp file. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SSRF in Quest Policy Authority Web Compliance Manager allows internal port scanning and potential database takeover on EoL product.
Vulnerability
Server-Side Request Forgery (SSRF) exists in the initFile.jsp endpoint of Web Compliance Manager in Quest Policy Authority version 8.1.2.200. An unauthenticated attacker can force the server to make requests to arbitrary internal hosts and ports via the msg parameter [1].
Exploitation
No authentication is required. The attacker sends a crafted HTTP GET request to /WebCM/initFile.jsp with a target URL in the msg parameter. The server processes the request and attempts to connect to the specified internal host and port [1].
Impact
Successful exploitation enables internal port scanning and service enumeration. On unconfigured instances, the attacker can redirect the initial configuration process to an attacker-controlled database, potentially achieving full application takeover [1].
Mitigation
Quest has confirmed that Policy Authority for Unified Communications version 8.1.2.200 has reached end-of-life and is no longer supported. No patches will be issued. Users should migrate away from the product or isolate it from untrusted networks [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Quest/Policy Authoritydescription
- Range: = 8.1.2.200
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.