PatchSiren

PatchSiren cyber security CVE debrief

CVE-2018-25386 Sitejo CVE debrief

CVE-2018-25386 documents multiple SQL injection vulnerabilities in HaPe PKH 1.1, specifically within admin/media.php. The 'id' parameter fails to properly sanitize user input, enabling attackers to inject arbitrary SQL code. An unauthenticated attacker can exploit the desa module via module=desa&act=hapus, while authenticated users can target the pengurus, fasilitas, and kelompok modules through actions such as act=print, act=editpengurus, act=editfasilitas, and act=editkelompok. Successful exploitation permits extraction of sensitive database metadata including the current database user, database name, and DBMS version. The vulnerability carries a CVSS 4.0 score of 8.8 (HIGH severity), reflecting network accessibility, low attack complexity, and high confidentiality impact. The CVE was published on 2026-05-29 and modified the same day; the NVD status is currently Deferred. The vendor attribution remains uncertain, with low-confidence evidence pointing to 'Sitejo' based on reference domain analysis. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.

Vendor
Sitejo
Product
HaPe PKH
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations running HaPe PKH 1.1; security teams managing PHP-based administrative applications; database administrators responsible for application-layer security; incident response teams monitoring for SQL injection indicators of compromise

Technical summary

The vulnerability resides in admin/media.php of HaPe PKH 1.1, where the 'id' parameter is vulnerable to SQL injection. The attack surface spans multiple modules: desa (unauthenticated, act=hapus), pengurus (authenticated, act=print/editpengurus), fasilitas (authenticated, act=editfasilitas), and kelompok (authenticated, act=editkelompok). The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N) indicates network exploitation with no authentication required for the desa module, high confidentiality impact, and low integrity impact. Successful attacks can enumerate database metadata through standard SQL injection techniques. The NVD status of 'Deferred' suggests the entry may await additional analysis or vendor coordination.

Defensive priority

HIGH

Recommended defensive actions

  • Apply input validation and parameterized queries to the 'id' parameter in admin/media.php across all affected modules (desa, pengurus, fasilitas, kelompok)
  • Implement least-privilege database access for the application to limit impact of successful SQL injection
  • Deploy Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the identified modules and actions
  • Review and sanitize all user-supplied parameters in administrative interfaces, particularly those handling delete, edit, and print actions
  • Monitor database query logs for anomalous patterns indicative of SQL injection attempts
  • Consider removing or restricting access to admin/media.php if the functionality is not required for operations
  • Apply principle of defense in depth by enabling database activity monitoring and alerting on information_schema access attempts

Evidence notes

Vulnerability details sourced from NVD modified feed with VulnCheck disclosure attribution. CVSS 4.0 vector confirms network attack vector with no privileges required. Multiple source references include Exploit-DB entry 45588 and VulnCheck advisory confirming SQL injection via 'id' parameter in admin/media.php. Vendor attribution based on reference_domain_candidate 'Sitejo' with low confidence; requires review.

Official resources

2026-05-29