These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2018-25391 documents a missing authorization vulnerability in HaPe PKH 1.1, a PHP-based application. The vulnerability exists in two administrative endpoints—admin/modul/mod_pengurus/aksi_pengurus.php (module=pengurus&act=hapus) and admin/modul/mod_update/aksi_update.php (module=update&act=hapus)—which process record deletion requests without verifying the requester's authentication status or privileg [truncated]
CVE-2018-25390 documents an SQL injection vulnerability in HaPe PKH 1.1, a software project distributed via SourceForge. The vulnerability exists in the `lap-peserta-perdesa-pdf.php` endpoint, where the `desa` POST parameter fails to properly sanitize user input, allowing unauthenticated attackers to inject arbitrary SQL code. The issue was disclosed with a time-based blind SQL injection proof-of-concept, [truncated]
CVE-2018-25389 documents an unauthenticated SQL injection vulnerability in HaPe PKH version 1.1, a PHP-based application. The flaw exists in the `lap-anggota-kelompok-pdf.php` endpoint, where user-supplied input via the `nama_kelompok` POST parameter is insufficiently sanitized before being incorporated into database queries. Attackers can inject time-based blind SQL payloads to infer and extract sensitiv [truncated]
CVE-2018-25388 documents an arbitrary file upload vulnerability in HaPe PKH version 1.1, a PHP-based application. The vulnerability allows authenticated attackers to bypass file type validation and upload malicious files, including PHP scripts, through multiple endpoints: aksi_foto.php, aksi_user.php, and aksi_kecamatan.php. Successful exploitation enables remote code execution on the affected server. The [truncated]
CVE-2018-25386 documents multiple SQL injection vulnerabilities in HaPe PKH 1.1, specifically within admin/media.php. The 'id' parameter fails to properly sanitize user input, enabling attackers to inject arbitrary SQL code. An unauthenticated attacker can exploit the desa module via module=desa&act=hapus, while authenticated users can target the pengurus, fasilitas, and kelompok modules through actions s [truncated]