CVE-2018-25386

Deferred Deferred - Pending Action

SQL Injection in HaPe PKH 1.1 Admin Module

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: VulnCheck

Description

HaPe PKH 1.1 contains multiple SQL injection vulnerabilities in admin/media.php that allow attackers to manipulate database queries by injecting SQL code through the 'id' parameter. An unauthenticated attacker can exploit the desa module (module=desa&act=hapus), while authenticated users can exploit the pengurus, fasilitas, and kelompok modules (for example act=print, act=editpengurus, act=editfasilitas, and act=editkelompok). Successful exploitation allows extraction of sensitive database information including the current user, database name, and DBMS version.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-29

Last Modified

2026-05-29

Generated

2026-06-19

AI Q&A

2026-05-29

EPSS Evaluated

2026-06-18

NVD

CVE-2018-25386

EUVD

EUVD-2018-21908

Affected Vendors & Products

Vendor	Product	Version / Range
hape	pkh	1.1

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

HaPe PKH version 1.1 contains multiple SQL injection vulnerabilities in the admin/media.php file. These vulnerabilities occur through the 'id' parameter and can be exploited differently depending on whether the attacker is authenticated or not.

An unauthenticated attacker can exploit the desa module (module=desa&act=hapus), while authenticated users can exploit the pengurus, fasilitas, and kelompok modules using actions such as act=print, act=editpengurus, act=editfasilitas, and act=editkelompok.

Successful exploitation allows attackers to manipulate database queries by injecting SQL code, enabling them to extract sensitive database information including the current user, database name, and DBMS version.

Impact Analysis

This vulnerability can have a high impact as it allows attackers to extract sensitive information from the database without proper authorization.

Attackers can gain access to sensitive database details such as the current user, database name, and DBMS version.
Unauthenticated attackers can exploit certain modules, increasing the risk of unauthorized data access.
Authenticated users with access to specific modules can also exploit the vulnerability to escalate their privileges or extract sensitive data.

Detection Guidance

This vulnerability involves SQL injection through the 'id' parameter in admin/media.php, exploitable via specific modules and actions. Detection can focus on monitoring HTTP requests targeting these parameters and modules.

Inspect web server logs for suspicious requests containing 'module=desa&act=hapus' or authenticated actions like 'act=print', 'act=editpengurus', 'act=editfasilitas', and 'act=editkelompok' with unusual or malformed 'id' parameter values.
Use web application vulnerability scanners that support SQL injection detection to scan the admin/media.php endpoint, focusing on the 'id' parameter.
Run manual SQL injection tests using tools like sqlmap targeting the URL with the vulnerable parameters, for example: sqlmap -u "http://target/admin/media.php?module=desa&act=hapus&id=1" --batch

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable admin/media.php endpoint and sanitizing input parameters to prevent SQL injection.

Apply input validation and parameterized queries or prepared statements in the code handling the 'id' parameter to prevent injection.
Limit access to the admin interface and modules (desa, pengurus, fasilitas, kelompok) to trusted users only.
If possible, temporarily disable the vulnerable modules or actions until a patch or fix is applied.
Monitor logs for suspicious activity and consider implementing a web application firewall (WAF) to block SQL injection attempts.

Compliance Impact

The vulnerability allows attackers to extract sensitive database information, which could include personal or protected data. This exposure can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access.

Successful exploitation of the SQL injection vulnerability compromises confidentiality, a core requirement in many compliance standards, potentially resulting in data breaches and regulatory penalties.

Hi! I’m here to help you understand CVE-2018-25386. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2018-25386

SQL Injection in HaPe PKH 1.1 Admin Module

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart