PatchSiren

PatchSiren cyber security CVE debrief

CVE-2018-25391 Sitejo CVE debrief

CVE-2018-25391 documents a missing authorization vulnerability in HaPe PKH 1.1, a PHP-based application. The vulnerability exists in two administrative endpoints—admin/modul/mod_pengurus/aksi_pengurus.php (module=pengurus&act=hapus) and admin/modul/mod_update/aksi_update.php (module=update&act=hapus)—which process record deletion requests without verifying the requester's authentication status or privileges. An unauthenticated attacker can delete arbitrary pengurus (administrator) records and update records by sending crafted HTTP requests specifying target record identifiers. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high integrity impact to the vulnerable system. The weakness is classified as CWE-862 (Missing Authorization). The vulnerability was disclosed with references to the vendor site, source code repository, exploit database entry, and a VulnCheck advisory.

Vendor
Sitejo
Product
HaPe PKH
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations running HaPe PKH 1.1; security teams managing PHP-based administrative applications; incident responders investigating unauthorized data deletion in legacy web applications

Technical summary

HaPe PKH 1.1 contains two administrative PHP endpoints that lack authorization controls. The aksi_pengurus.php endpoint (accessed via module=pengurus&act=hapus) and aksi_update.php endpoint (module=update&act=hapus) accept record deletion requests without session validation or privilege verification. An attacker can construct HTTP requests with arbitrary record identifiers to delete pengurus (administrator) accounts and update records. The vulnerability requires no authentication, no user interaction, and is exploitable over the network with low complexity. Integrity impact is rated HIGH per CVSS 4.0; confidentiality and availability impacts are not scored in the base metric.

Defensive priority

HIGH

Recommended defensive actions

  • Implement authentication and authorization checks on all administrative endpoints, particularly record deletion handlers
  • Apply principle of least privilege to ensure deletion operations require verified administrative session
  • Review and remediate similar endpoint patterns in admin/modul/ directory structure
  • Deploy web application firewall rules to block unauthenticated POST requests to administrative action endpoints
  • Monitor access logs for anomalous deletion requests to aksi_pengurus.php and aksi_update.php
  • Consider removing or disabling affected endpoints until patch availability is confirmed
  • Verify backup integrity for pengurus and update records to enable recovery from unauthorized deletions

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. CVSS 4.0 vector and CWE-862 classification confirmed via NVD metadata. Affected endpoints and attack mechanics derived from CVE description. Vendor attribution marked as low confidence based on reference domain candidate 'Sitejo' with review flag set.

Official resources

2026-05-29