CVE-2020-13563
published 2021-02-01CVE-2020-13563: A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript…
PriorityP343medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
75.86%
99.5th percentile
A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability in the phpGACL template group_id parameter.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open-emr | openemr | — | — |
| phpgacl_project | phpgacl | — | — |
| phpgacl_project | phpgacl | — | — |
Detection & IOCsextracted from sources · hover to see the quote
pathadmin/assign_group.php
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS phpGACL assign_group group_id Parameter Reflected Cross-Site Scripting (CVE-2020-13563)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"admin/assign_group.php|3f|"; fast_pattern; content:"group_id|3d|"; distance:0; pcre:"/^.+(script|onmouse[a-z]+|onkey[a-z]+|onerror|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3d)/Ri"; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2020-1177; reference:cve,2020-13563; classtype:web-application-attack; sid:2059300; rev:1; metadata:affected_product phpGACL, attack_target Web_Server, tls_state TLSDecrypt, created_at 2025_01_17, cve CVE_2020_13563, deployment Perimeter, deployment Internal, deployment Datacenter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit targets the `group_id` GET parameter in `admin/assign_group.php` with reflected XSS payloads. Look for GET requests to this path containing `group_id=` followed by script/event-handler injection patterns.
- →The Snort/Suricata rule (ET sid:2059300) covers the full set of XSS injection keywords to match in the URI: script, onmouse*, onkey*, onerror, onload, onunload, ondragdrop, onblur, onfocus, onclick, ondblclick, onsubmit, onreset, onselect, onchange, style=
- →Detection applies to both cleartext HTTP and TLS-decrypted traffic (deployment tags include SSLDecrypt/TLSDecrypt), so ensure SSL inspection is in place for full coverage.
- →MITRE mapping: Initial Access (TA0001) via Exploit Public-Facing Application (T1190). Prioritise perimeter and datacenter sensor placement.
- ·The Snort/Suricata rule (sid:2059300) requires TLS/SSL inspection to detect attacks over HTTPS. Without decryption, encrypted exploit attempts will be missed.
- ·The vulnerability is specific to phpGACL 3.3.7; the rule metadata confirms the affected product scope.
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv3.09.6CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS phpGACL assign_group group_id Parameter Reflected Cross-Site Scripting (CVE-2020-13563)
suricata·2025-01-17·CVSS 6.1
CVE-2020-13563 [MEDIUM] ET WEB_SPECIFIC_APPS phpGACL assign_group group_id Parameter Reflected Cross-Site Scripting (CVE-2020-13563)
ET WEB_SPECIFIC_APPS phpGACL assign_group group_id Parameter Reflected Cross-Site Scripting (CVE-2020-13563)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS phpGACL assign_group group_id Parameter Reflected Cross-Site Scripting (CVE-2020-13563)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"admin/assign_group.php|3f|"; fast_pattern; content:"group_id|3d|"; distance:0; pcre:"/^.+(script|onmouse[a-z]+|onkey[a-z]+|onerror|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3d)/Ri"; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2020-1177; reference:cve,2020-13563; classtype:web-application-attack; sid:2059300; rev:1; metadata:affected_product phpGACL, attack_target Web_Serve
No public exploits indexed.
No writeups or analysis indexed.
2021-02-01
Published