CVE-2020-35722
Description
CSRF in Web Compliance Manager in Quest Policy Authority 8.1.2.200 allows remote attackers to force user modification/creation via a specially crafted link to the submitUser.jsp file. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in Quest Policy Authority 8.1.2.200 allows attackers to create or modify users via a crafted link to submitUser.jsp in an unsupported product.
Vulnerability
A cross-site request forgery (CSRF) vulnerability exists in the Web Compliance Manager component of Quest Policy Authority for Unified Communications version 8.1.2.200 [1]. The endpoint submitUser.jsp does not enforce anti-CSRF tokens, allowing an attacker to force an authenticated administrator to unknowingly perform user creation or modification requests.
Exploitation
An attacker crafts a malicious link or form that, when clicked by a logged-in administrator with a valid session, sends a forged POST request to submitUser.jsp. No authentication is required for the attacker, but the victim must have an active session in the application. The attacker can predefine parameters to create a new user or alter existing user attributes.
Impact
Successful exploitation allows an attacker to create new user accounts or modify existing ones, potentially gaining unauthorized privileged access to the application. This could lead to full compromise of the Policy Authority system.
Mitigation
Quest has confirmed that Policy Authority for Unified Communications has reached end-of-life and is no longer supported. No patches are available [1]. Organizations should migrate to a supported alternative or isolate the application to prevent exposure.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Quest/Policy Authoritydescription
- Range: = 8.1.2.200
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.