← back
CVE-2018-25387

HaPe PKH 1.1 Cross-Site Request Forgery via aksi_user.php

CVSS 6.9 MEDIUMEPSS 0.2%CWE-352
HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Attackers can craft malicious forms targeting the aksi_user.php script with parameters like id_user, password, and level to modify admin credentials without authentication.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
Affected products
Sitejo · HaPe PKH
public PoCs found1
cve_referencewww.exploit-db.com/exploits/45591unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://sourceforge.net/projects/hape-pkh/files/latest/downloadhttps://www.exploit-db.com/exploits/45591https://www.vulncheck.com/advisories/hape-pkh-cross-site-request-forgery-via-aksi-user-phphttp://www.sitejo.id