CVE-2020-13566
published 2021-04-13CVE-2020-13566: SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to…
PriorityP352high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.58%
72.4th percentile
SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability In admin/edit_group.php, when the POST parameter action is “Delete”, the POST parameter delete_group leads to a SQL injection.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open-emr | openemr | — | — |
| phpgacl_project | phpgacl | — | — |
| phpgacl_project | phpgacl | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-856m-qvrj-mfjh: SQL injection vulnerabilities exist in phpGACL 3
ghsa_unreviewed·2022-05-24
CVE-2020-13566 [HIGH] CWE-89 GHSA-856m-qvrj-mfjh: SQL injection vulnerabilities exist in phpGACL 3
SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability In admin/edit_group.php, when the POST parameter action is “Delete”, the POST parameter delete_group leads to a SQL injection.
OSV
CVE-2020-13566: SQL injection vulnerabilities exist in phpGACL 3
osv·2021-04-13·CVSS 8.8
CVE-2020-13566 [HIGH] CVE-2020-13566: SQL injection vulnerabilities exist in phpGACL 3
SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability In admin/edit_group.php, when the POST parameter action is “Delete”, the POST parameter delete_group leads to a SQL injection.
No detection rules found.
No public exploits indexed.
Talos
Vulnerability Spotlight: Multiple vulnerabilities in phpGACL class
blogs_talos·2021-01-27·CVSS 6.1
[MEDIUM] Vulnerability Spotlight: Multiple vulnerabilities in phpGACL class
Claudio Bozzato of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered multiple vulnerabilities in the phpGACL class. One of these vulnerabilities also affects OpenEMR, a medical practice management software written in PHP. phpGACL is a PHP library that allows developers to implement permission systems via a Generic Access Control List. An adversary could exploit these vulnerabilities by sending the target machine a specially crafted, malicious HTTP request or URL.
In accordance with our coordinated disclosure policy, Cisco Talos worked with phpGACL and OpenEMR to ensure that these issues are resolved and that an update is available for affected customers.
## Vulnerability details
phpGACL template multiple cross-site scripting vulnerabilit
Talos
Vulnerability Spotlight: Multiple vulnerabilities in phpGACL class
blogs_talos·2021-01-27·CVSS 6.1
[MEDIUM] Vulnerability Spotlight: Multiple vulnerabilities in phpGACL class
## Vulnerability Spotlight: Multiple vulnerabilities in phpGACL class
Claudio Bozzato of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered multiple vulnerabilities in the phpGACL class. One of these vulnerabilities also affects OpenEMR, a medical practice management software written in PHP. phpGACL is a PHP library that allows developers to implement permission systems via a Generic Access Control List. An adversary could exploit these vulnerabilities by sending the target machine a specially crafted, malicious HTTP request or URL.
In accordance with our coordinated disclosure policy, Cisco Talos worked with phpGACL and OpenEMR to ensure that these issues are resolved and that an update is available for affected customers.
## Vulnerabili
2021-04-13
Published