CVE-2018-25409

SIM-PKH 2.4.1 Arbitrary File Upload via aksi_pengurus.php

CVSS 8.7 HIGHEPSS 0.3%CWE-434

SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

Simpkh · SIM-PKH

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/45659unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://simpkh.sourceforge.io/https://sourceforge.net/projects/simpkh/files/latest/download https://www.exploit-db.com/exploits/45659 https://www.vulncheck.com/advisories/sim-pkh-arbitrary-file-upload-via-aksi-pengurus-php