CVE-2020-35724
Description
Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the Error.jsp file via the err parameter (or indirectly via the cpr, tcp, or abs parameter). NOTE: This vulnerability only affects products that are no longer supported by the maintainer
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Error.jsp via err parameter allows remote attackers to inject arbitrary JavaScript in Quest Policy Authority 8.1.2.200, which is end-of-life and unpatched.
Vulnerability
Reflected XSS vulnerability exists in Error.jsp in Quest Policy Authority 8.1.2.200. The err parameter (and indirectly cpr, tcp, abs) is reflected without sanitization, allowing injection of arbitrary script. Affected versions: 8.1.2.200 and likely earlier unsupported versions. [1]
Exploitation
An attacker can craft a malicious link containing the payload in the err parameter. No authentication is required. The victim must click the link. The script executes in the browser context of the application.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially stealing session cookies, redirecting, or performing actions on behalf of the victim. Since the product is end-of-life, no patch is available.
Mitigation
Quest has confirmed the product is end-of-life and unsupported for over seven years. No patches will be issued. The only mitigation is to discontinue use or isolate the application. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Quest/Policy Authoritydescription
- Range: = 8.1.2.200
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.