CVE-2018-25386 – HaPe PKH SQL Injection Vulnerability in admin/media.php

Vulnerability

A SQL injection vulnerability has been identified in HaPe PKH version 1.1, specifically within the admin/media.php file. This vulnerability allows attackers to manipulate database queries by injecting SQL code through the 'id' parameter. Unauthenticated attackers can exploit this issue in the desa module, while authenticated users can target the pengurus, fasilitas, and kelompok modules. Successful exploitation could lead to the extraction of sensitive database information, including details about the current user, database name, and DBMS version.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access or modification. In this case, the vulnerability allows extraction of sensitive database information such as the current user, database name, and DBMS version.

Reproduction

The vulnerability can be reproduced by sending a POST request to 'admin/media.php' with the 'module' parameter set to 'desa' and the 'act' parameter set to 'hapus'. Include a crafted 'id' parameter that injects SQL code. This vulnerability can also be reproduced by authenticated users by targeting the 'pengurus', 'fasilitas', or 'kelompok' modules with similar SQL injection payloads in the 'id' parameter.

Added: May 29, 2026, 4:51 PM

Updated: May 29, 2026, 4:51 PM

Affected Products

HaPe PKH

0 remedies

<= 1.1

CVSS Scores

volerion

5.5

CVSS 4.0

5.5

Medium

volerion

5.3

CVSS 3.1

5.3

Medium

Vendor

8.8

CVSS 4.0

8.8

High

Vendor

8.2

CVSS 3.1

8.2

High

Click a row to open the calculator.

References

https://sourceforge.net/projects/hape-pkh/files/latest/download

ProductVendor

https://www.exploit-db.com/exploits/45588

Exploit

https://www.vulncheck.com/advisories/hape-pkh-sql-injection-via-id-parameter-in-admin-media-php

AdvisoryBundle

http://www.sitejo.id

Broken LinkVendor

Showing 1-4 of 4 references