HIGH 8.2

CVE-2018-25386: SQL Injection in HaPe PKH 1.1 Admin Interface

HaPe PKH 1.1 contains multiple SQL injection flaws in its admin media management interface that allow attackers to inject malicious SQL commands and extract sensitive database information. Unauthenticated attackers can target the village module, while authenticated users can exploit several administrative modules. The vulnerability stems from improper handling of the 'id' parameter, enabling attackers to manipulate database queries and retrieve system-level data such as database credentials, names, and DBMS version details.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

HaPe PKH 1.1 contains multiple SQL injection vulnerabilities in admin/media.php that allow attackers to manipulate database queries by injecting SQL code through the 'id' parameter. An unauthenticated attacker can exploit the desa module (module=desa&act=hapus), while authenticated users can exploit the pengurus, fasilitas, and kelompok modules (for example act=print, act=editpengurus, act=editfasilitas, and act=editkelompok). Successful exploitation allows extraction of sensitive database information including the current user, database name, and DBMS version.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in admin/media.php where user-supplied input through the 'id' parameter is not properly sanitized before being incorporated into SQL queries. The injection point affects multiple modules: the desa (village) module is exploitable by unauthenticated users via the hapus (delete) action, while authenticated users can inject SQL through the pengurus (administrators), fasilitas (facilities), and kelompok (groups) modules using various actions including print, editpengurus, editfasilitas, and editkelompok. The lack of parameterized queries or input validation allows attackers to break out of the intended query context and execute arbitrary SQL statements. This maps directly to CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

Business impact

A successful exploitation allows attackers to exfiltrate sensitive database information including user credentials, database structure, and DBMS version information. For unauthenticated attackers, this lowers the barrier to entry and enables reconnaissance of the application's data layer. Authenticated users exploiting the pengurus, fasilitas, and kelompok modules could access administrative data, user records, or facility information depending on the database schema. The compromise of database metadata can facilitate further attacks such as privilege escalation or lateral movement within the organization's data infrastructure.

Affected systems

HaPe PKH version 1.1 is confirmed to be vulnerable. Organizations running this content management or administrative system, particularly those exposing the admin interface to untrusted networks, are at direct risk. The vulnerability affects both unauthenticated and authenticated attack surfaces, making it relevant to any deployment regardless of access controls.

Exploitability

This vulnerability has a CVSS 3.1 score of 8.2 (HIGH) with a network-based attack vector requiring no authentication or user interaction. The attack complexity is low, meaning a standard SQL injection payload is likely sufficient. The impact is primarily confidentiality-focused (high) with minor integrity concerns. The unauthenticated desa module variant is particularly concerning as it requires no prior system access. An attacker with basic SQL injection knowledge can craft payloads to enumerate databases, extract table structures, or retrieve sensitive records. Public SQL injection techniques and tools are widely available, making this trivially exploitable in practice.

Remediation

Immediate patching is the primary remediation path. Organizations should check with HaPe PKH vendors or maintainers for security updates addressing CVE-2018-25386. If patches are unavailable or delayed, implement parameterized queries (prepared statements) in admin/media.php for all modules and actions mentioned. Validate and sanitize the 'id' parameter using allowlist approaches (accepting only expected integer values, for example). Apply principle of least privilege to database accounts used by the application. Additionally, restrict admin interface access to trusted IP ranges or require multi-factor authentication for administrative sessions.

Patch guidance

Verify availability of security updates from the HaPe PKH vendor or development team. Apply patches to all instances running version 1.1. If vendor patches are unavailable, consider implementing code-level fixes using prepared statements with parameterized queries for the affected admin/media.php file. Test patches thoroughly in a non-production environment before deployment. For organizations unable to patch immediately, apply network-level mitigations such as WAF rules that detect and block common SQL injection patterns in the 'id' parameter.

Detection guidance

Monitor web application logs for suspicious patterns in requests to admin/media.php, particularly those containing SQL syntax characters (single quotes, semicolons, SQL keywords like UNION, SELECT, OR) in the 'id' parameter. Implement database query logging to detect anomalous SQL statements executed by the application user account. Network-based detection should flag requests combining module names (desa, pengurus, fasilitas, kelompok) with suspicious parameter values. Endpoint detection and response solutions should alert on database credential exposure or large data transfers from the database server. Regular vulnerability scanning of the admin interface can identify residual exposure.

Why prioritize this

This vulnerability merits immediate priority for several reasons: (1) the attack surface includes unauthenticated access paths, removing the need for valid credentials; (2) the CVSS score of 8.2 reflects significant confidentiality impact; (3) SQL injection is a well-understood, trivially exploitable flaw with abundant public tooling; (4) successful exploitation directly compromises database integrity and confidentiality, enabling follow-on attacks. Organizations running HaPe PKH 1.1 should treat this as a critical patching target.

Risk score, explained

The CVSS 3.1 score of 8.2 (HIGH) reflects a network-accessible vulnerability with low attack complexity and no authentication requirement for the desa module. The high confidentiality impact acknowledges that attackers can extract database contents including metadata and potentially sensitive records. The low integrity impact reflects that while database modification is possible, the primary risk is data exfiltration. Availability is not impacted because the vulnerability does not enable denial-of-service attacks. The overall score emphasizes that this is a serious data breach risk rather than a system disruption risk.

Frequently asked questions

Can this vulnerability be exploited without network access to the admin interface?

No, the vulnerability requires network access to the admin/media.php endpoint. However, the desa module variant requires no authentication, so if the admin interface is publicly accessible or accessible from an attacker's network position, exploitation is immediate. The pengurus, fasilitas, and kelompok modules do require a valid authenticated session, which adds a barrier but does not eliminate the risk if attackers obtain credentials or target internal users.

What types of data are at highest risk of extraction?

Database metadata is the primary target: database usernames, database names, DBMS version, and table structures. Depending on the database contents, attackers can then extract user credentials, administrative records, facility information, and other sensitive data stored in the application's database. The risk extends to any data the application database contains.

Are there workarounds if we cannot patch immediately?

Yes, but patches should remain the priority. Temporary mitigations include: restricting network access to the admin interface via firewall rules or VPN, implementing Web Application Firewall (WAF) rules to block SQL injection patterns, validating the 'id' parameter to accept only numeric values, and enabling detailed logging to detect exploitation attempts. These controls reduce but do not eliminate risk.

Does this vulnerability affect HaPe PKH versions other than 1.1?

The description specifies version 1.1. Verify whether the vendor has identified other affected versions in their advisory. If you operate a different version, review the vendor's security documentation or contact support to confirm your version's vulnerability status.

This analysis is based on published CVE data and CVSS scoring. Patch availability, specific version numbers, and vendor advisory details should be verified directly with the HaPe PKH vendor or security advisories. This document is for informational purposes and does not constitute professional security advice. Organizations should conduct their own risk assessments based on their specific deployments and data sensitivity. No exploit code or weaponized proof-of-concept is provided herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).