CVE-2018-25391— HaPe PKH 1.1 Missing Authorization Allows Unauthenticated Record Deletion
Possible ATT&CK Techniques 1AI
T1068 · Exploitation for Privilege EscalationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2018-25391
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
HaPe PKH 1.1 Missing Authorization Allows Unauthenticated Record Deletion
Source: NVD (National Vulnerability Database)
Vulnerability Description
HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to delete arbitrary records by sending a crafted request that specifies the target record's id. The admin/modul/mod_pengurus/aksi_pengurus.php (module=pengurus&act=hapus) and admin/modul/mod_update/aksi_update.php (module=update&act=hapus) endpoints process deletions without verifying the requester's privileges, enabling removal of pengurus (administrator) and update records.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制缺失
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2018-25391
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2018-25391
请登录查看更多情报信息。
Exploits & Public PoCs for CVE-2018-25391 (1)
Other References for CVE-2018-25391 (1)
Other References for CVE-2018-25391 (1)
- http://www.sitejo.idproduct
Same Patch Batch · Sitejo · 2026-05-29 · 6 CVEs total
| CVE-2018-25388 | 8.8 HIGH | HaPe PKH 1.1 Arbitrary File Upload via aksi_foto.php |
| CVE-2018-25389 | 8.2 HIGH | HaPe PKH 1.1 SQL Injection via nama_kelompok Parameter |
| CVE-2018-25390 | 8.2 HIGH | HaPe PKH 1.1 SQL Injection via desa Parameter |
| CVE-2018-25386 | 8.2 HIGH | HaPe PKH 1.1 SQL Injection via id Parameter in admin/media.php |
| CVE-2018-25387 | 5.3 MEDIUM | HaPe PKH 1.1 Cross-Site Request Forgery via aksi_user.php |
IV. Related Vulnerabilities
Same product: HaPe PKH
- CVE-2018-25390
HaPe PKH 1.1 SQL Injection via desa Parameter - CVE-2018-25389
HaPe PKH 1.1 SQL Injection via nama_kelompok Parameter - CVE-2018-25388
HaPe PKH 1.1 Arbitrary File Upload via aksi_foto.php - CVE-2018-25387
HaPe PKH 1.1 Cross-Site Request Forgery via aksi_user.php - CVE-2018-25386
HaPe PKH 1.1 SQL Injection via id Parameter in admin/media.p
Same vendor: Sitejo
- CVE-2018-25390
HaPe PKH 1.1 SQL Injection via desa Parameter - CVE-2018-25389
HaPe PKH 1.1 SQL Injection via nama_kelompok Parameter - CVE-2018-25388
HaPe PKH 1.1 Arbitrary File Upload via aksi_foto.php - CVE-2018-25387
HaPe PKH 1.1 Cross-Site Request Forgery via aksi_user.php - CVE-2018-25386
HaPe PKH 1.1 SQL Injection via id Parameter in admin/media.p
V. Comments for CVE-2018-25391
No comments yet