CVE-2020-35720

Vulnerability

CVE-2020-35720 is a stored cross-site scripting (XSS) vulnerability in Quest Policy Authority for Unified Communications version 8.1.2.200. The flaw exists in the submitUser.jsp file, where multiple user profile fields — first name, last name, and logon name — are not sanitized before being stored and later rendered in the application. The product has been officially declared end-of-life and has been unsupported for over seven years; no patches will be issued [1].

Exploitation

An attacker must be authenticated with privileges to create or modify users (e.g., an administrator or delegated user manager). The attacker crafts a malicious JavaScript payload (e.g., `) and submits it via one or more of the vulnerable fields when creating or editing a user through submitUser.jsp`. The payload is stored server-side and executed in the browser of any user who subsequently views the affected user's profile or a page that renders those fields [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim’s session. This can lead to session hijacking, data exfiltration, or forced actions within the application. The XSS is stored, meaning every page-view by any authenticated user of the affected user record triggers the payload; no additional user interaction beyond viewing the page is required [1].

Mitigation

Quest has confirmed that Policy Authority for Unified Communications is end-of-life and will not receive any patches. There is no fix available from the vendor. Organizations still running the product should immediately isolate or decommission it, or migrate to a supported alternative. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].