CVE-2018-25390: Unauthenticated SQL Injection in HaPe PKH 1.1
HaPe PKH 1.1 is vulnerable to SQL injection through its lap-peserta-perdesa-pdf.php endpoint. An attacker can send a specially crafted request containing SQL code in the 'desa' POST parameter to manipulate database queries without authentication. Using time-based blind SQL injection techniques, an adversary can extract sensitive information from the underlying database by observing query response delays.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'desa' POST parameter sent to lap-peserta-perdesa-pdf.php. Attackers can send a crafted request with a time-based blind payload to infer and extract sensitive database information.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2018-25390 is an unauthenticated SQL injection vulnerability in HaPe PKH 1.1. The vulnerability exists in lap-peserta-perdesa-pdf.php, where the 'desa' POST parameter is not properly sanitized before being incorporated into SQL queries. An attacker can exploit this via time-based blind SQL injection—a technique that infers database content by measuring response timing differences—to enumerate schemas, extract data, or potentially modify database state. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Business impact
Successful exploitation enables unauthorized data exfiltration from the HaPe PKH 1.1 database. Depending on what data is stored—participant records, personal information, or administrative details—attackers could compromise confidentiality and potentially satisfy prerequisites for follow-on attacks. The unauthenticated nature and network accessibility make this a direct external threat vector requiring no prior system access or user interaction.
Affected systems
HaPe PKH 1.1 is affected. Organizations running this version of the HaPe PKH application should assume they are vulnerable. Verify your deployment version against vendor release notes; patch availability and remediation guidance should be sought directly from the HaPe PKH vendor.
Exploitability
This vulnerability has a low barrier to exploitation. No special privileges are required, no user interaction is necessary, and the attack can be executed over the network. Time-based blind SQL injection is a well-understood technique; tooling and methodologies are mature. The CVSS 3.1 score of 8.2 (HIGH) reflects the high attack complexity ease (AC:L), high confidentiality impact (C:H), and lack of authentication requirements (PR:N).
Remediation
Apply a security patch from the HaPe PKH vendor immediately. Verify the patch version against the vendor advisory. Until patching is possible, implement input validation and parameterized queries (prepared statements) within the application code. Web application firewalls (WAF) may provide temporary mitigation by detecting and blocking SQL injection patterns in POST data targeting lap-peserta-perdesa-pdf.php. Database-level access controls should also be reviewed to minimize exposure if injection does occur.
Patch guidance
Contact the HaPe PKH vendor or check their security advisory portal for available patches. Apply the latest patched version to all affected instances in development, staging, and production environments. Verify that the patch addresses the SQL injection in the 'desa' parameter of lap-peserta-perdesa-pdf.php. After patching, conduct a quick regression test on the PDF export functionality to ensure stability.
Detection guidance
Monitor HTTP POST requests to lap-peserta-perdesa-pdf.php for suspicious 'desa' parameter values containing SQL keywords (SELECT, UNION, AND, OR, WAITFOR, SLEEP) or special characters (single quotes, semicolons, parentheses used in SQL syntax). Enable application or WAF logging to capture and alert on time-based payloads (e.g., SLEEP, BENCHMARK). Review database query logs for unusual delays or errors coinciding with suspicious HTTP requests. Implement alerting on failed SQL syntax errors originating from the web application layer.
Why prioritize this
This vulnerability merits immediate attention due to its HIGH CVSS score (8.2), unauthenticated attack vector, and direct confidentiality impact. The ease of exploitation via time-based blind techniques and network accessibility make it a priority for threat actors. Organizations should treat patching or mitigation as urgent to prevent database reconnaissance and data exfiltration.
Risk score, explained
The CVSS 3.1 score of 8.2 reflects: (1) network-accessible attack vector (AV:N), (2) low attack complexity requiring no special conditions (AC:L), (3) no authentication required (PR:N), (4) no user interaction needed (UI:N), (5) high confidentiality impact enabling data extraction (C:H), and (6) limited integrity impact (I:L) due to potential for data modification through UNION-based or stacked-query techniques. Availability is not directly impacted (A:N).
Frequently asked questions
Can this vulnerability be exploited without network access to the application?
No. The vulnerability is accessible over the network (AV:N in the CVSS vector), so the application endpoint must be reachable via HTTP/HTTPS from the attacker's location. If lap-peserta-perdesa-pdf.php is not exposed to the internet or untrusted networks, external risk is lower; however, insider threats or compromised internal systems could still exploit it.
What is time-based blind SQL injection and why is it harder to detect than error-based injection?
Time-based blind SQL injection infers data by crafting queries that cause the database to delay its response when a condition is true. For example, 'IF (SELECT COUNT(*) FROM users) > 0 THEN SLEEP(5)' will pause the response if the condition matches. It's harder to detect because no error messages or data are directly returned; attackers rely on timing differences. This makes WAF detection more challenging but not impossible.
Is HaPe PKH 1.1 still actively maintained and is a patch available?
The published date for this CVE is 2026-05-29, so verify current maintenance status and patch availability directly with the HaPe PKH vendor. Refer to their official security advisory or release notes to confirm whether a patch has been issued and what version number fixes this issue.
If we cannot patch immediately, what interim controls reduce risk?
Deploy input validation and parameterized queries in the application code if possible. Configure a WAF to block requests with SQL injection signatures in the 'desa' parameter. Restrict network access to lap-peserta-perdesa-pdf.php using firewall rules or IP allowlisting. Apply database-level principle of least privilege so the application database user has minimal permissions. Monitor and alert on suspicious queries and response timing anomalies.
This analysis is provided for informational purposes and reflects the vulnerability details as of the publication and modification dates. Organizations must verify patch availability, version numbers, and compatibility with their specific deployments through official vendor advisories. No exploit code or weaponized proof-of-concept is provided herein. Consult vendor security documentation and your internal risk assessment process before implementing any remediation. SEC.co does not guarantee the completeness or currency of this information; security posture should be informed by multiple authoritative sources and continuous vulnerability monitoring. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25398HIGHUnauthenticated SQL Injection in Open ISES Project 3.30A