CVE-2020-13568

2021-04-1315:00:28

CWE-89

talos

www.cve.org

cve-2020-13568

sql injection

phpgacl 3.3.7

http request

admin/edit_group.php

post parameter

action

submit

parent_id

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

52.9%

JSON

SQL injection vulnerability exists in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability in admin/edit_group.php, when the POST parameter action is “Submit”, the POST parameter parent_id leads to a SQL injection.

CNA Affected

[
  {
    "product": "phpGACL",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "OpenEMR 5.0.2, OpenEMR development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce), phpGACL 3.3.7"
      }
    ]
  }
]