Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities by Sitejo
CVE-2018-25391 (GCVE-0-2018-25391)
Vulnerability from cvelistv5 – Published: 2026-05-29 14:46 – Updated: 2026-05-29 19:25
VLAI
Title
HaPe PKH 1.1 Missing Authorization Allows Unauthenticated Record Deletion
Summary
HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to delete arbitrary records by sending a crafted request that specifies the target record's id. The admin/modul/mod_pengurus/aksi_pengurus.php (module=pengurus&act=hapus) and admin/modul/mod_update/aksi_update.php (module=update&act=hapus) endpoints process deletions without verifying the requester's privileges, enabling removal of pengurus (administrator) and update records.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/45588 | exploit |
| http://www.sitejo.id | product |
| https://sourceforge.net/projects/hape-pkh/files/l… | product |
| https://www.vulncheck.com/advisories/hape-pkh-mis… | third-party-advisory |
Date Public
2018-10-12 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2018-25391",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T19:22:55.575923Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:25:37.368Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "HaPe PKH",
"vendor": "Sitejo",
"versions": [
{
"status": "affected",
"version": "1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ihsan Sencan"
}
],
"datePublic": "2018-10-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to delete arbitrary records by sending a crafted request that specifies the target record\u0027s id. The admin/modul/mod_pengurus/aksi_pengurus.php (module=pengurus\u0026act=hapus) and admin/modul/mod_update/aksi_update.php (module=update\u0026act=hapus) endpoints process deletions without verifying the requester\u0027s privileges, enabling removal of pengurus (administrator) and update records."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T14:46:34.617Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-45588",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/45588"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "http://www.sitejo.id"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://sourceforge.net/projects/hape-pkh/files/latest/download"
},
{
"name": "VulnCheck Advisory: HaPe PKH 1.1 Missing Authorization Allows Unauthenticated Record Deletion",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/hape-pkh-missing-authorization-allows-unauthenticated-record-deletion"
}
],
"title": "HaPe PKH 1.1 Missing Authorization Allows Unauthenticated Record Deletion",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2018-25391",
"datePublished": "2026-05-29T14:46:34.617Z",
"dateReserved": "2026-05-29T11:24:03.699Z",
"dateUpdated": "2026-05-29T19:25:37.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2018-25390 (GCVE-0-2018-25390)
Vulnerability from cvelistv5 – Published: 2026-05-29 14:46 – Updated: 2026-05-29 20:35
VLAI
Title
HaPe PKH 1.1 SQL Injection via desa Parameter
Summary
HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'desa' POST parameter sent to lap-peserta-perdesa-pdf.php. Attackers can send a crafted request with a time-based blind payload to infer and extract sensitive database information.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/45588 | exploit |
| http://www.sitejo.id | product |
| https://sourceforge.net/projects/hape-pkh/files/l… | product |
| https://www.vulncheck.com/advisories/hape-pkh-sql… | third-party-advisory |
Date Public
2018-10-12 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2018-25390",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T20:35:19.333897Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T20:35:28.280Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "HaPe PKH",
"vendor": "Sitejo",
"versions": [
{
"status": "affected",
"version": "1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ihsan Sencan"
}
],
"datePublic": "2018-10-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the \u0027desa\u0027 POST parameter sent to lap-peserta-perdesa-pdf.php. Attackers can send a crafted request with a time-based blind payload to infer and extract sensitive database information."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T14:46:33.895Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-45588",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/45588"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "http://www.sitejo.id"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://sourceforge.net/projects/hape-pkh/files/latest/download"
},
{
"name": "VulnCheck Advisory: HaPe PKH 1.1 SQL Injection via desa Parameter",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/hape-pkh-sql-injection-via-desa-parameter"
}
],
"title": "HaPe PKH 1.1 SQL Injection via desa Parameter",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2018-25390",
"datePublished": "2026-05-29T14:46:33.895Z",
"dateReserved": "2026-05-29T11:24:03.699Z",
"dateUpdated": "2026-05-29T20:35:28.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2018-25389 (GCVE-0-2018-25389)
Vulnerability from cvelistv5 – Published: 2026-05-29 14:46 – Updated: 2026-06-02 18:51
VLAI
Title
HaPe PKH 1.1 SQL Injection via nama_kelompok Parameter
Summary
HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'nama_kelompok' POST parameter sent to lap-anggota-kelompok-pdf.php. Attackers can send a crafted request with a time-based blind payload to infer and extract sensitive database information.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/45588 | exploit |
| http://www.sitejo.id | product |
| https://sourceforge.net/projects/hape-pkh/files/l… | product |
| https://www.vulncheck.com/advisories/hape-pkh-sql… | third-party-advisory |
Date Public
2018-10-12 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2018-25389",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T18:51:29.595824Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T18:51:50.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "HaPe PKH",
"vendor": "Sitejo",
"versions": [
{
"status": "affected",
"version": "1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ihsan Sencan"
}
],
"datePublic": "2018-10-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the \u0027nama_kelompok\u0027 POST parameter sent to lap-anggota-kelompok-pdf.php. Attackers can send a crafted request with a time-based blind payload to infer and extract sensitive database information."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T14:46:33.184Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-45588",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/45588"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "http://www.sitejo.id"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://sourceforge.net/projects/hape-pkh/files/latest/download"
},
{
"name": "VulnCheck Advisory: HaPe PKH 1.1 SQL Injection via nama_kelompok Parameter",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/hape-pkh-sql-injection-via-nama-kelompok-parameter"
}
],
"title": "HaPe PKH 1.1 SQL Injection via nama_kelompok Parameter",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2018-25389",
"datePublished": "2026-05-29T14:46:33.184Z",
"dateReserved": "2026-05-29T11:24:03.699Z",
"dateUpdated": "2026-06-02T18:51:50.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2018-25388 (GCVE-0-2018-25388)
Vulnerability from cvelistv5 – Published: 2026-05-29 14:46 – Updated: 2026-05-29 17:25
VLAI
Title
HaPe PKH 1.1 Arbitrary File Upload via aksi_foto.php
Summary
HaPe PKH 1.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by bypassing file type validation. Attackers can upload PHP files through multiple endpoints including aksi_foto.php, aksi_user.php, and aksi_kecamatan.php to execute arbitrary code on the server.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/45593 | exploit |
| http://www.sitejo.id | product |
| https://sourceforge.net/projects/hape-pkh/files/l… | product |
| https://www.vulncheck.com/advisories/hape-pkh-arb… | third-party-advisory |
Date Public
2018-10-12 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2018-25388",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T17:24:54.290788Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T17:25:15.068Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "HaPe PKH",
"vendor": "Sitejo",
"versions": [
{
"status": "affected",
"version": "1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ihsan Sencan"
}
],
"datePublic": "2018-10-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "HaPe PKH 1.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by bypassing file type validation. Attackers can upload PHP files through multiple endpoints including aksi_foto.php, aksi_user.php, and aksi_kecamatan.php to execute arbitrary code on the server."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T14:46:32.498Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-45593",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/45593"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "http://www.sitejo.id"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://sourceforge.net/projects/hape-pkh/files/latest/download"
},
{
"name": "VulnCheck Advisory: HaPe PKH 1.1 Arbitrary File Upload via aksi_foto.php",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/hape-pkh-arbitrary-file-upload-via-aksi-foto-php"
}
],
"title": "HaPe PKH 1.1 Arbitrary File Upload via aksi_foto.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2018-25388",
"datePublished": "2026-05-29T14:46:32.498Z",
"dateReserved": "2026-05-29T11:17:19.632Z",
"dateUpdated": "2026-05-29T17:25:15.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2018-25387 (GCVE-0-2018-25387)
Vulnerability from cvelistv5 – Published: 2026-05-29 14:46 – Updated: 2026-06-02 01:31
VLAI
Title
HaPe PKH 1.1 Cross-Site Request Forgery via aksi_user.php
Summary
HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Attackers can craft malicious forms targeting the aksi_user.php script with parameters like id_user, password, and level to modify admin credentials without authentication.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/45591 | exploit |
| http://www.sitejo.id | product |
| https://sourceforge.net/projects/hape-pkh/files/l… | product |
| https://www.vulncheck.com/advisories/hape-pkh-cro… | third-party-advisory |
Date Public
2018-10-12 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2018-25387",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T01:31:09.645351Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T01:31:20.317Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "HaPe PKH",
"vendor": "Sitejo",
"versions": [
{
"status": "affected",
"version": "1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ihsan Sencan"
}
],
"datePublic": "2018-10-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Attackers can craft malicious forms targeting the aksi_user.php script with parameters like id_user, password, and level to modify admin credentials without authentication."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T14:46:31.802Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-45591",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/45591"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "http://www.sitejo.id"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://sourceforge.net/projects/hape-pkh/files/latest/download"
},
{
"name": "VulnCheck Advisory: HaPe PKH 1.1 Cross-Site Request Forgery via aksi_user.php",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/hape-pkh-cross-site-request-forgery-via-aksi-user-php"
}
],
"title": "HaPe PKH 1.1 Cross-Site Request Forgery via aksi_user.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2018-25387",
"datePublished": "2026-05-29T14:46:31.802Z",
"dateReserved": "2026-05-29T11:16:38.154Z",
"dateUpdated": "2026-06-02T01:31:20.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2018-25386 (GCVE-0-2018-25386)
Vulnerability from cvelistv5 – Published: 2026-05-29 14:46 – Updated: 2026-05-29 19:19
VLAI
Title
HaPe PKH 1.1 SQL Injection via id Parameter in admin/media.php
Summary
HaPe PKH 1.1 contains multiple SQL injection vulnerabilities in admin/media.php that allow attackers to manipulate database queries by injecting SQL code through the 'id' parameter. An unauthenticated attacker can exploit the desa module (module=desa&act=hapus), while authenticated users can exploit the pengurus, fasilitas, and kelompok modules (for example act=print, act=editpengurus, act=editfasilitas, and act=editkelompok). Successful exploitation allows extraction of sensitive database information including the current user, database name, and DBMS version.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/45588 | exploit |
| http://www.sitejo.id | product |
| https://sourceforge.net/projects/hape-pkh/files/l… | product |
| https://www.vulncheck.com/advisories/hape-pkh-sql… | third-party-advisory |
Date Public
2018-10-12 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2018-25386",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T19:19:19.108993Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:19:44.241Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "HaPe PKH",
"vendor": "Sitejo",
"versions": [
{
"status": "affected",
"version": "1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ihsan Sencan"
}
],
"datePublic": "2018-10-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "HaPe PKH 1.1 contains multiple SQL injection vulnerabilities in admin/media.php that allow attackers to manipulate database queries by injecting SQL code through the \u0027id\u0027 parameter. An unauthenticated attacker can exploit the desa module (module=desa\u0026act=hapus), while authenticated users can exploit the pengurus, fasilitas, and kelompok modules (for example act=print, act=editpengurus, act=editfasilitas, and act=editkelompok). Successful exploitation allows extraction of sensitive database information including the current user, database name, and DBMS version."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T14:46:31.099Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-45588",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/45588"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "http://www.sitejo.id"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://sourceforge.net/projects/hape-pkh/files/latest/download"
},
{
"name": "VulnCheck Advisory: HaPe PKH 1.1 SQL Injection via id Parameter in admin/media.php",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/hape-pkh-sql-injection-via-id-parameter-in-admin-media-php"
}
],
"title": "HaPe PKH 1.1 SQL Injection via id Parameter in admin/media.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2018-25386",
"datePublished": "2026-05-29T14:46:31.099Z",
"dateReserved": "2026-05-29T11:15:20.657Z",
"dateUpdated": "2026-05-29T19:19:44.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}