CVE-2020-26625: 
PHP vulnerability analysis and mitigation

A SQL injection vulnerability was discovered in Gila CMS versions 1.15.4 and earlier, identified as CVE-2020-26625. The vulnerability allows remote attackers to execute arbitrary web scripts via the 'user_id' parameter after accessing the login portal (NVD, CVE).

The vulnerability is classified as a SQL injection (CWE-89) with a CVSS v3.1 base score of 3.8 (LOW), and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N. The attack requires high privileges and can be executed remotely through network access, with no user interaction required (NVD).

The successful exploitation of this vulnerability could lead to unauthorized access to sensitive data and potential manipulation of the database through SQL injection attacks. The impact is rated as low for both confidentiality and integrity, with no impact on availability (NVD).

Users are advised to upgrade to a version newer than Gila CMS 1.15.4. The project maintains a security policy where all versions can be upgraded to the latest version that includes security updates. For reporting security issues, users should email contact@gilacms.com instead of using the public issue tracker (Security Policy).