CVE-2020-35726 in Policy Authority
Summary
by MITRE • 01/11/2021
** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the /WebCM/Applications/Reports/index.jsp file via the by parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/04/2025
This reflected cross-site scripting vulnerability exists in Quest Policy Authority version 8.1.2.200, representing a critical security flaw that enables remote attackers to execute malicious code within user browsers. The vulnerability specifically manifests when users click on specially crafted links that target the /WebCM/Applications/Reports/index.jsp endpoint with malicious input in the by parameter. The flaw allows attackers to inject arbitrary JavaScript code that gets executed in the context of the victim's browser session, potentially leading to complete session hijacking, data theft, or further exploitation of the affected system. This type of vulnerability falls under CWE-79 which categorizes cross-site scripting flaws as weaknesses in web applications that fail to properly validate or escape user input before rendering it in web pages. The vulnerability aligns with ATT&CK technique T1566.001 which describes social engineering attacks using malicious links, making it particularly dangerous in environments where users may inadvertently click on compromised URLs.
The technical implementation of this vulnerability stems from insufficient input validation and output encoding within the Quest Policy Authority web application. When the by parameter is processed without proper sanitization, the application directly incorporates user-supplied data into the HTTP response without appropriate escaping or encoding mechanisms. This allows attackers to inject malicious script code that executes when the page is rendered in the victim's browser. The reflected nature of the vulnerability means that the malicious payload is not stored on the server but is instead reflected back to the user through the web application's response, making it a classic reflected XSS attack vector. The attack requires minimal user interaction beyond clicking a malicious link, making it particularly effective for phishing campaigns or social engineering attacks.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform a wide range of malicious activities within the victim's browser session. Attackers could potentially steal session cookies, modify user permissions, access sensitive data, or redirect users to malicious websites. The vulnerability's impact is particularly concerning given that Quest Policy Authority is a security management platform, meaning that successful exploitation could provide attackers with elevated privileges within the security infrastructure. Organizations using unsupported software versions face additional risks as there are no security patches or updates available to remediate this vulnerability. The lack of vendor support means that even if organizations discover the vulnerability, they cannot rely on official patches to address the issue.
Mitigation strategies for this vulnerability should focus on immediate defensive measures given the unsupported status of the affected product. Organizations should implement network-level protections such as web application firewalls that can detect and block malicious payloads targeting the specific endpoint. Input validation and output encoding should be enforced at the application level where possible, even if the vendor no longer supports the product. Network segmentation can help limit the potential impact of successful exploitation by restricting access to sensitive components. Regular security monitoring and log analysis should be enhanced to detect unusual patterns that might indicate exploitation attempts. Organizations should also consider implementing browser security controls such as content security policies and disabling unnecessary browser features that could facilitate exploitation. Due to the end-of-life status of the product, migration to supported alternatives or upgrading to newer versions should be prioritized as a long-term solution, though the vulnerability itself does not provide any indication of additional security flaws beyond the reflected XSS issue described in the CVE.