CVE-2020-35206

Vulnerability

The Web Compliance Manager component of Quest Policy Authority for Unified Communications version 8.1.2.200 contains a reflected cross-site scripting (XSS) vulnerability in the cConn.jsp file. The ur parameter is reflected in the response without proper sanitization or encoding, allowing injection of arbitrary HTML and JavaScript. No authentication is required to trigger the vulnerability.

Exploitation

An attacker can craft a malicious URL containing a payload in the ur parameter, such as http://target/WebCM/cConn.jsp?ur=. When a victim clicks the link, the injected script executes in the context of the application's domain. The attacker does not need any prior authentication or special network position beyond the ability to deliver the link to a user.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is limited to the browser session of the victim; no server-side compromise occurs.

Mitigation

Quest has confirmed that Policy Authority for Unified Communications version 8.1.2.200 is end-of-life and has been unsupported for over seven years [1]. No patch will be issued. The only mitigation is to decommission or replace the product with a supported alternative. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of publication.