CVE-2018-25388
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
HaPe PKH 1.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by bypassing file type validation. Attackers can upload PHP files through multiple endpoints including aksi_foto.php, aksi_user.php, and aksi_kecamatan.php to execute arbitrary code on the server.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Sitejo | HaPe PKH | 1.1 | affected |
Weaknesses
- CWE-434: Unrestricted Upload of File with Dangerous Type
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
References
- https://www.exploit-db.com/exploits/45593
- http://www.sitejo.id
- https://sourceforge.net/projects/hape-pkh/files/latest/download
- https://www.vulncheck.com/advisories/hape-pkh-arbitrary-file-upload-via-aksi-foto-php
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.