cbcvebase.
CVE-2020-13562
published 2021-02-01

CVE-2020-13562: A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript…

PriorityP344medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
77.75%
99.5th percentile
A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnaerability in the phpGACL template action parameter.

Affected

3 ranges
VendorProductVersion rangeFixed in
open-emropenemr
phpgacl_projectphpgacl
phpgacl_projectphpgacl

Detection & IOCsextracted from sources · hover to see the quote

pathadmin/acl_admin.php
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS phpGACL acl_admin action Parameter Reflected Cross-Site Scripting (CVE-2020-13562)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"admin/acl_admin.php|3f|"; fast_pattern; content:"action|3d|"; distance:0; pcre:"/^.+(script|onmouse[a-z]+|onkey[a-z]+|onerror|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3d)/Ri"; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2020-1177; reference:cve,2020-13562; classtype:web-application-attack; sid:2059299; rev:1; metadata:affected_product phpGACL, attack_target Web_Server, tls_state TLSDecrypt, created_at 2025_01_17, cve CVE_2020_13562, deployment Perimeter, deployment Internal, deployment Datacenter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets the `action` parameter of `admin/acl_admin.php` via HTTP GET; look for XSS payloads (script tags, event handlers, style= attributes) in the URI query string following `action=`.
  • The PCRE pattern covers a broad set of XSS vectors: inline script tags, mouse/keyboard/load/error/focus/click/submit/reset/select/change event handlers, and style= attribute injection — all case-insensitive.
  • Rule is mapped to MITRE ATT&CK T1190 (Exploit Public-Facing Application) under Initial Access (TA0001); prioritise detections on perimeter, internal, and datacenter deployments, including TLS-decrypted traffic.
  • The vulnerability is a reflected XSS in the phpGACL template functionality triggered via a crafted URL; monitor for GET requests to acl_admin.php with suspicious `action` parameter values.
  • ·The Snort/Suricata rule (sid:2059299) requires TLS inspection to detect attacks over HTTPS; metadata indicates `tls_state TLSDecrypt` and `deployment SSLDecrypt` — ensure SSL/TLS decryption is enabled on the sensor for full coverage.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv3.09.6CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.