CVE-2020-13566

Name of the Vulnerable Software and Affected Versions phpGACL version 3.3.7

Description The issue allows for SQL injection through a specially crafted HTTP request. In the file admin/edit group.php, when the POST parameter action is set to “Delete”, the POST parameter delete group can lead to a SQL injection. This can be triggered by an attacker sending a crafted HTTP request.

Recommendations For phpGACL version 3.3.7, consider disabling the delete group functionality in admin/edit group.php until a patch is available. Restrict access to the admin/edit group.php file to minimize the risk of exploitation. Avoid using the delete group parameter in the affected HTTP request until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.