Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

HaPe PKH

Source -

CNA

CNA CVEs -

6

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
6Vulnerabilities found
CVE-2018-25391
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-Not Assigned
Published-29 May, 2026 | 14:46
Updated-29 May, 2026 | 19:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HaPe PKH 1.1 Missing Authorization Allows Unauthenticated Record Deletion

HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to delete arbitrary records by sending a crafted request that specifies the target record's id. The admin/modul/mod_pengurus/aksi_pengurus.php (module=pengurus&act=hapus) and admin/modul/mod_update/aksi_update.php (module=update&act=hapus) endpoints process deletions without verifying the requester's privileges, enabling removal of pengurus (administrator) and update records.

Action-Not Available
Vendor-Sitejo
Product-HaPe PKH
CWE ID-CWE-862
Missing Authorization
CVE-2018-25390
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-8.8||HIGH
EPSS-Not Assigned
Published-29 May, 2026 | 14:46
Updated-29 May, 2026 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HaPe PKH 1.1 SQL Injection via desa Parameter

HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'desa' POST parameter sent to lap-peserta-perdesa-pdf.php. Attackers can send a crafted request with a time-based blind payload to infer and extract sensitive database information.

Action-Not Available
Vendor-Sitejo
Product-HaPe PKH
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2018-25389
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-8.8||HIGH
EPSS-Not Assigned
Published-29 May, 2026 | 14:46
Updated-29 May, 2026 | 16:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HaPe PKH 1.1 SQL Injection via nama_kelompok Parameter

HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'nama_kelompok' POST parameter sent to lap-anggota-kelompok-pdf.php. Attackers can send a crafted request with a time-based blind payload to infer and extract sensitive database information.

Action-Not Available
Vendor-Sitejo
Product-HaPe PKH
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2018-25388
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-Not Assigned
Published-29 May, 2026 | 14:46
Updated-29 May, 2026 | 17:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HaPe PKH 1.1 Arbitrary File Upload via aksi_foto.php

HaPe PKH 1.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by bypassing file type validation. Attackers can upload PHP files through multiple endpoints including aksi_foto.php, aksi_user.php, and aksi_kecamatan.php to execute arbitrary code on the server.

Action-Not Available
Vendor-Sitejo
Product-HaPe PKH
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2018-25387
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-6.9||MEDIUM
EPSS-Not Assigned
Published-29 May, 2026 | 14:46
Updated-29 May, 2026 | 16:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HaPe PKH 1.1 Cross-Site Request Forgery via aksi_user.php

HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Attackers can craft malicious forms targeting the aksi_user.php script with parameters like id_user, password, and level to modify admin credentials without authentication.

Action-Not Available
Vendor-Sitejo
Product-HaPe PKH
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-25386
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-8.8||HIGH
EPSS-Not Assigned
Published-29 May, 2026 | 14:46
Updated-29 May, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HaPe PKH 1.1 SQL Injection via id Parameter in admin/media.php

HaPe PKH 1.1 contains multiple SQL injection vulnerabilities in admin/media.php that allow attackers to manipulate database queries by injecting SQL code through the 'id' parameter. An unauthenticated attacker can exploit the desa module (module=desa&act=hapus), while authenticated users can exploit the pengurus, fasilitas, and kelompok modules (for example act=print, act=editpengurus, act=editfasilitas, and act=editkelompok). Successful exploitation allows extraction of sensitive database information including the current user, database name, and DBMS version.

Action-Not Available
Vendor-Sitejo
Product-HaPe PKH
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')