CVE-2020-35721

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in Quest Policy Authority for Unified Communications version 8.1.2.200 [1]. The flaw resides in the BrowseAssets.do endpoint, where the title parameter is reflected in the response without proper sanitization or encoding [1]. This allows an attacker to inject arbitrary HTML or JavaScript code that executes in the context of the victim's browser. The product is end-of-life and has been unsupported for over seven years at the time of disclosure [1].

Exploitation

The attacker must craft a malicious link containing a payload in the title parameter and trick an authenticated user into clicking it [1]. No authentication is required to trigger the reflection; however, the victim must have an active session with the application for the injected script to perform actions on their behalf. The attack vector is over the network, with no special privileges required by the attacker [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information displayed within the application [1]. The injected script operates within the same origin as the vulnerable application, granting access to cookies, local storage, and other session data. Since no fix is available, the impact is permanent for deployed instances.

Mitigation

Quest confirmed that Policy Authority for Unified Communications has reached end-of-life and no patch will be issued [1]. Users are strongly advised to upgrade to a supported alternative or, if continued use is unavoidable, to mitigate exposure by restricting access to the application via network controls (e.g., firewalls, VPNs) and ensuring that victims do not click untrusted links while authenticated [1]. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.