CVE-2020-35725

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in Quest Policy Authority for Unified Communications version 8.1.2.200. The msg parameter in /WebCM/index.jsp is echoed into the response without proper sanitization or encoding [1]. The product is end-of-life and has been unsupported for over seven years at the time of disclosure; no patches are available [1].

Exploitation

An attacker can craft a malicious link containing a JavaScript payload in the msg parameter and trick an authenticated or unauthenticated user into clicking it. The request requires no authentication. The injected script executes in the victim's browser within the security context of the application [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, cookie theft, redirection to malicious sites, or other actions on behalf of the victim within the application. The impact is limited to the browser session and data accessible to the application [1].

Mitigation

Quest confirmed the product is end-of-life and will not issue any patches. Users must migrate to a supported alternative or remove the product from their environment. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of writing [1].