CVE-2020-13567: 
OpenEMR vulnerability analysis and mitigation

CVE-2020-13567 is a SQL injection vulnerability discovered in phpGACL 3.3.7, a PHP library that allows developers to implement permission systems via a Generic Access Control List. The vulnerability was discovered by Claudio Bozzato of Cisco Talos and was disclosed to the vendor on October 23, 2020. The vulnerability specifically affects the parentid parameter in the admin/editgroup.php file when the POST parameter action is set to 'Submit' (Talos Report).

The vulnerability exists due to improper sanitization of the parentid parameter in admin/editgroup.php. When the POST parameter action is set to 'Submit', the parentid parameter is passed to both addgroup and editgroup functions without proper sanitization. The vulnerability allows an attacker to inject SQL commands through the parentid parameter. The issue has been assigned a CVSSv3 score of 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) (Talos Report).

A successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL commands on the underlying database. This could potentially lead to unauthorized access to sensitive data, modification of database contents, and compromise of the application's integrity (NVD).

The vulnerability was patched by the vendor on January 5, 2021. Users are advised to upgrade to the patched version of phpGACL. The fix includes proper sanitization of the parentid parameter before its use in SQL queries ([Talos Report](https://talosintelligence.com/vulnerabilityreports/TALOS-2020-1179)).