A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability in the phpGACL template group_id parameter.
| Software | From | Fixed in |
|---|---|---|
| open-emr / openemr | 5.0.2 | 5.0.2.x |
| phpgacl_project / phpgacl | 3.3.7 | 3.3.7.x |