cbcvebase.
CVE-2020-13564
published 2021-02-01

CVE-2020-13564: A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript…

PriorityP343medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
75.86%
99.5th percentile
A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability in the phpGACL template acl_id parameter.

Affected

3 ranges
VendorProductVersion rangeFixed in
open-emropenemr
phpgacl_projectphpgacl
phpgacl_projectphpgacl

Detection & IOCsextracted from sources · hover to see the quote

pathadmin/acl_admin.php
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS phpGACL acl_admin acl_id Parameter Reflected Cross-Site Scripting (CVE-2020-13564)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"admin/acl_admin.php|3f|"; fast_pattern; content:"acl_id|3d|"; distance:0; pcre:"/^.+(script|onmouse[a-z]+|onkey[a-z]+|onerror|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3d)/Ri"; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2020-1177; reference:cve,2020-13564; classtype:web-application-attack; sid:2059301; rev:1;)
  • Exploit requests use HTTP GET method targeting the acl_admin.php endpoint with the acl_id parameter containing XSS payloads. Look for event handler keywords or 'style=' injected into the acl_id value.
  • The vulnerability is a reflected XSS in the acl_id parameter of phpGACL's template functionality, triggered via a crafted URL.
  • TLS-decrypted traffic inspection is required to detect this attack when served over HTTPS (tls_state: TLSDecrypt / deployment: SSLDecrypt).
  • ·The PCRE in the rule is case-insensitive and matches a broad set of XSS event handler patterns; tuning may be needed to reduce false positives in environments with legitimate use of these keywords in URIs.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv3.09.6CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.