CVE-2020-35720 in Policy Authority
Summary
by MITRE • 01/11/2021
** UNSUPPORTED WHEN ASSIGNED ** Stored XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to store malicious code in multiple fields (first name, last name, and logon name) when creating or modifying a user via the submitUser.jsp file. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/04/2025
The vulnerability CVE-2020-35720 represents a stored cross-site scripting flaw discovered in Quest Policy Authority version 8.1.2.200, which constitutes a significant security weakness in identity and access management systems. This vulnerability specifically affects the web-based user management interface where attackers can inject malicious scripts into user records through multiple input fields including first name, last name, and logon name. The vulnerability resides within the submitUser.jsp file which processes user creation and modification requests, making it a critical point of entry for malicious actors seeking to compromise the system. The stored nature of this vulnerability means that once malicious code is injected into the database, it persists and executes whenever the affected user records are accessed by other users or administrators.
The technical implementation of this vulnerability aligns with CWE-79, which describes cross-site scripting flaws where untrusted data is directly included in web pages without proper validation or encoding. In this case, the input fields for user identification are not properly sanitizing or escaping user-provided data before storing it in the backend database. When the malicious content is later retrieved and rendered in web interfaces, the stored script executes in the context of other users' browsers, potentially allowing attackers to steal session cookies, perform unauthorized actions, or redirect users to malicious sites. The vulnerability affects the authentication and authorization mechanisms of the system since it allows attackers to manipulate user records and potentially escalate privileges.
The operational impact of CVE-2020-35720 extends beyond simple script execution, as it compromises the integrity of the user directory and potentially exposes sensitive authentication information. Attackers could use this vulnerability to gain unauthorized access to user accounts, modify user permissions, or create backdoor accounts within the system. The vulnerability's presence in the user management interface makes it particularly dangerous as it could allow attackers to manipulate the very foundation of the organization's access control system. Given that this affects a product that is no longer supported by the maintainer, organizations may not receive patches or updates to address this issue, leaving them exposed to potential exploitation. The vulnerability also aligns with ATT&CK technique T1078 which covers legitimate credentials use, as successful exploitation could enable attackers to maintain persistent access through compromised user accounts.
Organizations affected by this vulnerability should implement immediate mitigations including input validation and output encoding measures, though these may be limited given the end-of-life status of the affected product. The recommended approach involves disabling or restricting the ability to store user data in the vulnerable fields, implementing web application firewalls to detect and block malicious payloads, and conducting thorough security assessments of all user accounts that may have been compromised. Due to the unsupported nature of the software, migration to a supported identity management solution becomes critical for long-term security. Security teams should also monitor for any signs of exploitation in their network logs and implement additional authentication controls to reduce the potential impact of successful attacks. The vulnerability demonstrates the importance of maintaining current software versions and the risks associated with continuing to use unsupported products in enterprise environments.