CVE-2020-13568

Name of the Vulnerable Software and Affected Versions phpGACL version 3.3.7

Description A SQL injection issue exists, allowing an attacker to send a specially crafted HTTP request to trigger the issue in admin/edit group.php. When the POST parameter action is “Submit”, the POST parameter parent id can lead to a SQL injection.

Recommendations For phpGACL version 3.3.7, as a temporary workaround, consider restricting access to the admin/edit group.php endpoint until a patch is available. Avoid using the parent id parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.