CVE-2018-25390
Deferred Deferred - Pending Action
SQL Injection in HaPe PKH via lap-peserta-perdesa-pdf.php

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: VulnCheck

Description
HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'desa' POST parameter sent to lap-peserta-perdesa-pdf.php. Attackers can send a crafted request with a time-based blind payload to infer and extract sensitive database information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2018-25390
EUVD
EUVD-2018-21912
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hape pkh 1.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

HaPe PKH version 1.1 contains a high-severity SQL injection vulnerability identified as CVE-2018-25390. This vulnerability allows unauthenticated attackers to manipulate database queries by injecting malicious SQL code through the 'desa' POST parameter in the lap-peserta-perdesa-pdf.php file.

Attackers can send specially crafted POST requests with a time-based blind SQL injection payload to infer and extract sensitive information from the database without needing any authentication.

Impact Analysis

This vulnerability can have a significant impact by allowing attackers to access and extract sensitive database information without authentication.

Because the attack exploits SQL injection, it can compromise the confidentiality of the data stored in the database, potentially leading to data breaches or unauthorized data disclosure.

Detection Guidance

This vulnerability can be detected by sending specially crafted POST requests to the lap-peserta-perdesa-pdf.php file, targeting the 'desa' parameter with time-based blind SQL injection payloads.

A common detection method involves using tools like curl or sqlmap to send these crafted requests and observe the response time or behavior changes indicating SQL injection.

  • Example curl command to test the vulnerability: curl -X POST -d "desa=1' AND SLEEP(5)-- " http://target/lap-peserta-perdesa-pdf.php
  • Alternatively, use sqlmap to automate detection: sqlmap -u "http://target/lap-peserta-perdesa-pdf.php" --data="desa=1" --technique=T --time-sec=5
Mitigation Strategies

Immediate mitigation steps include applying input validation and sanitization on the 'desa' POST parameter to prevent SQL injection.

If possible, update HaPe PKH to a version where this vulnerability is fixed or apply available patches.

As a temporary measure, restrict access to the vulnerable script (lap-peserta-perdesa-pdf.php) via firewall rules or web application firewall (WAF) to block malicious requests.

Compliance Impact

The SQL injection vulnerability in HaPe PKH 1.1 allows unauthenticated attackers to extract sensitive database information, which can lead to unauthorized disclosure of personal or protected data.

Such unauthorized access and potential data breaches can negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access.

Therefore, exploitation of this vulnerability could result in violations of these regulations due to compromised confidentiality of sensitive data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25390. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart