CVE-2020-35723

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in Quest Policy Authority for Unified Communications version 8.1.2.200. The ReportPreview.do file reflects the referer parameter without proper sanitization or encoding, allowing an attacker to inject arbitrary HTML and JavaScript. The product has reached end-of-life and is no longer supported by the vendor. [1]

Exploitation

An attacker can exploit this vulnerability by crafting a malicious link containing JavaScript in the referer parameter and convincing a victim to click it. No authentication is required to trigger the reflected XSS. When the victim clicks the link, the injected script executes in the context of the application's origin. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the session context of the Quest Policy Authority application. This can lead to session hijacking, credential theft, or other malicious actions. Since the product is end-of-life, no remediation is available. [1]

Mitigation

Quest has confirmed that the product is end-of-life and has been unsupported for over seven years. No patch is available. Organizations using this product should immediately discontinue its use and migrate to a supported alternative. [1]