CVE-2020-13562
published 2021-02-01CVE-2020-13562: A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript…
PriorityP344medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
77.75%
99.5th percentile
A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnaerability in the phpGACL template action parameter.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open-emr | openemr | — | — |
| phpgacl_project | phpgacl | — | — |
| phpgacl_project | phpgacl | — | — |
Detection & IOCsextracted from sources · hover to see the quote
pathadmin/acl_admin.php
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS phpGACL acl_admin action Parameter Reflected Cross-Site Scripting (CVE-2020-13562)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"admin/acl_admin.php|3f|"; fast_pattern; content:"action|3d|"; distance:0; pcre:"/^.+(script|onmouse[a-z]+|onkey[a-z]+|onerror|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3d)/Ri"; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2020-1177; reference:cve,2020-13562; classtype:web-application-attack; sid:2059299; rev:1; metadata:affected_product phpGACL, attack_target Web_Server, tls_state TLSDecrypt, created_at 2025_01_17, cve CVE_2020_13562, deployment Perimeter, deployment Internal, deployment Datacenter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit targets the `action` parameter of `admin/acl_admin.php` via HTTP GET; look for XSS payloads (script tags, event handlers, style= attributes) in the URI query string following `action=`.
- →The PCRE pattern covers a broad set of XSS vectors: inline script tags, mouse/keyboard/load/error/focus/click/submit/reset/select/change event handlers, and style= attribute injection — all case-insensitive.
- →Rule is mapped to MITRE ATT&CK T1190 (Exploit Public-Facing Application) under Initial Access (TA0001); prioritise detections on perimeter, internal, and datacenter deployments, including TLS-decrypted traffic.
- →The vulnerability is a reflected XSS in the phpGACL template functionality triggered via a crafted URL; monitor for GET requests to acl_admin.php with suspicious `action` parameter values.
- ·The Snort/Suricata rule (sid:2059299) requires TLS inspection to detect attacks over HTTPS; metadata indicates `tls_state TLSDecrypt` and `deployment SSLDecrypt` — ensure SSL/TLS decryption is enabled on the sensor for full coverage.
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv3.09.6CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS phpGACL acl_admin action Parameter Reflected Cross-Site Scripting (CVE-2020-13562)
suricata·2025-01-17·CVSS 6.1
CVE-2020-13562 [MEDIUM] ET WEB_SPECIFIC_APPS phpGACL acl_admin action Parameter Reflected Cross-Site Scripting (CVE-2020-13562)
ET WEB_SPECIFIC_APPS phpGACL acl_admin action Parameter Reflected Cross-Site Scripting (CVE-2020-13562)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS phpGACL acl_admin action Parameter Reflected Cross-Site Scripting (CVE-2020-13562)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"admin/acl_admin.php|3f|"; fast_pattern; content:"action|3d|"; distance:0; pcre:"/^.+(script|onmouse[a-z]+|onkey[a-z]+|onerror|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3d)/Ri"; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2020-1177; reference:cve,2020-13562; classtype:web-application-attack; sid:2059299; rev:1; metadata:affected_product phpGACL, attack_target Web_Server, tls_state TL
No public exploits indexed.
Talos
Vulnerability Spotlight: Multiple vulnerabilities in phpGACL class
blogs_talos·2021-01-27·CVSS 6.1
[MEDIUM] Vulnerability Spotlight: Multiple vulnerabilities in phpGACL class
Claudio Bozzato of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered multiple vulnerabilities in the phpGACL class. One of these vulnerabilities also affects OpenEMR, a medical practice management software written in PHP. phpGACL is a PHP library that allows developers to implement permission systems via a Generic Access Control List. An adversary could exploit these vulnerabilities by sending the target machine a specially crafted, malicious HTTP request or URL.
In accordance with our coordinated disclosure policy, Cisco Talos worked with phpGACL and OpenEMR to ensure that these issues are resolved and that an update is available for affected customers.
## Vulnerability details
phpGACL template multiple cross-site scripting vulnerabilit
Talos
Vulnerability Spotlight: Multiple vulnerabilities in phpGACL class
blogs_talos·2021-01-27·CVSS 6.1
[MEDIUM] Vulnerability Spotlight: Multiple vulnerabilities in phpGACL class
## Vulnerability Spotlight: Multiple vulnerabilities in phpGACL class
Claudio Bozzato of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered multiple vulnerabilities in the phpGACL class. One of these vulnerabilities also affects OpenEMR, a medical practice management software written in PHP. phpGACL is a PHP library that allows developers to implement permission systems via a Generic Access Control List. An adversary could exploit these vulnerabilities by sending the target machine a specially crafted, malicious HTTP request or URL.
In accordance with our coordinated disclosure policy, Cisco Talos worked with phpGACL and OpenEMR to ensure that these issues are resolved and that an update is available for affected customers.
## Vulnerabili
2021-02-01
Published