CVE-2020-13564
published 2021-02-01CVE-2020-13564: A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript…
PriorityP343medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
75.86%
99.5th percentile
A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability in the phpGACL template acl_id parameter.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open-emr | openemr | — | — |
| phpgacl_project | phpgacl | — | — |
| phpgacl_project | phpgacl | — | — |
Detection & IOCsextracted from sources · hover to see the quote
pathadmin/acl_admin.php
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS phpGACL acl_admin acl_id Parameter Reflected Cross-Site Scripting (CVE-2020-13564)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"admin/acl_admin.php|3f|"; fast_pattern; content:"acl_id|3d|"; distance:0; pcre:"/^.+(script|onmouse[a-z]+|onkey[a-z]+|onerror|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3d)/Ri"; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2020-1177; reference:cve,2020-13564; classtype:web-application-attack; sid:2059301; rev:1;)
- →Exploit requests use HTTP GET method targeting the acl_admin.php endpoint with the acl_id parameter containing XSS payloads. Look for event handler keywords or 'style=' injected into the acl_id value.
- →The vulnerability is a reflected XSS in the acl_id parameter of phpGACL's template functionality, triggered via a crafted URL. ↗
- →TLS-decrypted traffic inspection is required to detect this attack when served over HTTPS (tls_state: TLSDecrypt / deployment: SSLDecrypt).
- ·The PCRE in the rule is case-insensitive and matches a broad set of XSS event handler patterns; tuning may be needed to reduce false positives in environments with legitimate use of these keywords in URIs.
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv3.09.6CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS phpGACL acl_admin acl_id Parameter Reflected Cross-Site Scripting (CVE-2020-13564)
suricata·2025-01-17·CVSS 6.1
CVE-2020-13564 [MEDIUM] ET WEB_SPECIFIC_APPS phpGACL acl_admin acl_id Parameter Reflected Cross-Site Scripting (CVE-2020-13564)
ET WEB_SPECIFIC_APPS phpGACL acl_admin acl_id Parameter Reflected Cross-Site Scripting (CVE-2020-13564)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS phpGACL acl_admin acl_id Parameter Reflected Cross-Site Scripting (CVE-2020-13564)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"admin/acl_admin.php|3f|"; fast_pattern; content:"acl_id|3d|"; distance:0; pcre:"/^.+(script|onmouse[a-z]+|onkey[a-z]+|onerror|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3d)/Ri"; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2020-1177; reference:cve,2020-13564; classtype:web-application-attack; sid:2059301; rev:1; metadata:affected_product phpGACL, attack_target Web_Server, tls_state TL
No public exploits indexed.
Talos
Vulnerability Spotlight: Multiple vulnerabilities in phpGACL class
blogs_talos·2021-01-27·CVSS 6.1
[MEDIUM] Vulnerability Spotlight: Multiple vulnerabilities in phpGACL class
Claudio Bozzato of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered multiple vulnerabilities in the phpGACL class. One of these vulnerabilities also affects OpenEMR, a medical practice management software written in PHP. phpGACL is a PHP library that allows developers to implement permission systems via a Generic Access Control List. An adversary could exploit these vulnerabilities by sending the target machine a specially crafted, malicious HTTP request or URL.
In accordance with our coordinated disclosure policy, Cisco Talos worked with phpGACL and OpenEMR to ensure that these issues are resolved and that an update is available for affected customers.
## Vulnerability details
phpGACL template multiple cross-site scripting vulnerabilit
Talos
Vulnerability Spotlight: Multiple vulnerabilities in phpGACL class
blogs_talos·2021-01-27·CVSS 6.1
[MEDIUM] Vulnerability Spotlight: Multiple vulnerabilities in phpGACL class
## Vulnerability Spotlight: Multiple vulnerabilities in phpGACL class
Claudio Bozzato of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered multiple vulnerabilities in the phpGACL class. One of these vulnerabilities also affects OpenEMR, a medical practice management software written in PHP. phpGACL is a PHP library that allows developers to implement permission systems via a Generic Access Control List. An adversary could exploit these vulnerabilities by sending the target machine a specially crafted, malicious HTTP request or URL.
In accordance with our coordinated disclosure policy, Cisco Talos worked with phpGACL and OpenEMR to ensure that these issues are resolved and that an update is available for affected customers.
## Vulnerabili
2021-02-01
Published