CVE-2020-35725 in Policy Authority
Summary
by MITRE • 01/11/2021
** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the /WebCM/index.jsp file via the msg parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/04/2025
This vulnerability represents a classic reflected cross-site scripting flaw that was discovered in Quest Policy Authority version 8.1.2.200, a security management platform used for policy enforcement and compliance monitoring. The vulnerability specifically affects the web interface component accessible through the /WebCM/index.jsp file, making it exploitable through web-based attack vectors. The flaw occurs when the application fails to properly sanitize user input received through the msg parameter, allowing malicious actors to inject arbitrary JavaScript code that executes in the context of other users' browsers. This type of vulnerability falls under the CWE-79 category of Cross-Site Scripting, specifically classified as reflected XSS where the malicious payload is reflected off the web server back to the victim's browser. The vulnerability is particularly concerning as it enables attackers to execute arbitrary code in the victim's browser session, potentially leading to session hijacking, credential theft, or redirection to malicious sites. The attack vector requires the victim to click on a specially crafted link containing the malicious payload, which is then reflected by the server and executed in the victim's browser context.
The operational impact of this vulnerability extends beyond simple script execution, as it can be leveraged for more sophisticated attacks within the context of the affected system. Attackers could potentially use this vulnerability to steal session cookies, redirect users to phishing sites, or even inject malicious scripts that could exfiltrate sensitive data from the targeted environment. The reflected nature of the vulnerability means that the malicious code does not persist on the server itself but is instead delivered through crafted HTTP requests. This characteristic makes detection more challenging as the malicious payloads are not stored in the application's database or file system. From an attacker's perspective, the vulnerability's exploitation is relatively straightforward, requiring only the ability to craft malicious URLs and convince victims to click on them, making it particularly dangerous in environments where users may encounter untrusted links in emails, web portals, or other communication channels.
Given that this vulnerability affects a product that is no longer supported by the maintainer, organizations that continue to use this software face significant security risks without any official patches or updates. The lack of vendor support means that even if organizations identify the vulnerability, they cannot rely on official remediation efforts, forcing them to consider alternative mitigation strategies. This situation exemplifies the risks associated with using unsupported software in production environments, where security vulnerabilities may remain unpatched for extended periods. The vulnerability's classification as reflected XSS aligns with ATT&CK technique T1566.001 which covers the use of malicious links in emails or web applications to deliver payloads. Organizations should recognize that without proper vendor support, they are left vulnerable to attackers who may develop and distribute exploits for such known vulnerabilities. The absence of official security updates creates a window of opportunity for threat actors to exploit the vulnerability, particularly in environments where legacy systems continue to operate. Mitigation strategies must therefore be implemented proactively, including network-level protections, web application firewalls, and user education to avoid clicking on suspicious links, while also planning for migration away from unsupported software platforms.
The vulnerability demonstrates the critical importance of maintaining current software versions and security patches, as unsupported products leave organizations exposed to known attack vectors. Organizations should conduct comprehensive inventory assessments to identify all instances of this unsupported software and implement immediate protective measures including network segmentation, monitoring for suspicious activity, and user awareness training. The attack surface created by this vulnerability extends beyond the immediate web interface, potentially allowing attackers to escalate privileges or access sensitive policy enforcement data managed by the Quest Policy Authority system. This scenario underscores the need for robust vulnerability management processes that include regular assessment of software lifecycle status and proactive identification of unsupported components within the enterprise infrastructure.