HaPe PKH Cross-Site Request Forgery Vulnerability Allowing Password Changes

Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in HaPe PKH version 1.1. This vulnerability allows attackers to change administrator passwords by sending forged requests to the user update endpoint. Exploitation involves crafting malicious forms that target the 'aksi_user.php' script, using parameters such as 'id_user', 'password', and 'level' to unauthorizedly modify admin credentials.

Impact

Exploitation of this vulnerability allows for unauthorized password changes, potentially leading to unauthorized administrative access.

Reproduction

To reproduce this vulnerability, send a POST request to the 'aksi_user.php' script with the 'module' parameter set to 'user' and the 'act' parameter set to 'update'. Include the 'id_user' parameter with the value of the user ID to be updated, the 'password' parameter with the new password, and the 'level' parameter set to 'admin'. This can be done using a web form or a tool that allows for the manipulation of request parameters, such as Burp Suite.

Added: May 29, 2026, 4:50 PM

Updated: May 29, 2026, 4:50 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.7

remediation

0.0

relevance

9.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

HaPe PKH Cross-Site Request Forgery Vulnerability Allowing Password Changes

Vulnerability

Impact

Reproduction

Affected Products

HaPe PKH

CVSS Scores

References

Vulnerability Rating