Search criteria
4 vulnerabilities found for SIM-PKH by Simpkh
CVE-2018-25410 (GCVE-0-2018-25410)
Vulnerability from nvd – Published: 2026-05-30 14:55 – Updated: 2026-05-30 14:55
VLAI
Title
SIM-PKH 2.4.1 SQL Injection via media.php id Parameter
Summary
SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to /admin/media.php with module=pengurus and act=editpengurus parameters containing SQL UNION statements to extract database information including usernames, database names, and version details.
Severity
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/45664 | exploit |
| https://simpkh.sourceforge.io/ | product |
| https://sourceforge.net/projects/simpkh/files/lat… | product |
| https://www.vulncheck.com/advisories/sim-pkh-sql-… | third-party-advisory |
Date Public
2018-10-22 00:00
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "SIM-PKH",
"vendor": "Simpkh",
"versions": [
{
"status": "affected",
"version": "2.4.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ihsan Sencan"
}
],
"datePublic": "2018-10-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the \u0027id\u0027 parameter. Attackers can send GET requests to /admin/media.php with module=pengurus and act=editpengurus parameters containing SQL UNION statements to extract database information including usernames, database names, and version details."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-30T14:55:17.141Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-45664",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/45664"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://simpkh.sourceforge.io/"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://sourceforge.net/projects/simpkh/files/latest/download"
},
{
"name": "VulnCheck Advisory: SIM-PKH 2.4.1 SQL Injection via media.php id Parameter",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/sim-pkh-sql-injection-via-media-php-id-parameter"
}
],
"title": "SIM-PKH 2.4.1 SQL Injection via media.php id Parameter",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2018-25410",
"datePublished": "2026-05-30T14:55:17.141Z",
"dateReserved": "2026-05-30T12:27:11.523Z",
"dateUpdated": "2026-05-30T14:55:17.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2018-25409 (GCVE-0-2018-25409)
Vulnerability from nvd – Published: 2026-05-30 14:55 – Updated: 2026-05-30 14:55
VLAI
Title
SIM-PKH 2.4.1 Arbitrary File Upload via aksi_pengurus.php
Summary
SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts.
Severity
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/45659 | exploit |
| https://simpkh.sourceforge.io/ | product |
| https://sourceforge.net/projects/simpkh/files/lat… | product |
| https://www.vulncheck.com/advisories/sim-pkh-arbi… | third-party-advisory |
Date Public
2018-10-22 00:00
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "SIM-PKH",
"vendor": "Simpkh",
"versions": [
{
"status": "affected",
"version": "2.4.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ihsan Sencan"
}
],
"datePublic": "2018-10-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-30T14:55:16.382Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-45659",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/45659"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://simpkh.sourceforge.io/"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://sourceforge.net/projects/simpkh/files/latest/download"
},
{
"name": "VulnCheck Advisory: SIM-PKH 2.4.1 Arbitrary File Upload via aksi_pengurus.php",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/sim-pkh-arbitrary-file-upload-via-aksi-pengurus-php"
}
],
"title": "SIM-PKH 2.4.1 Arbitrary File Upload via aksi_pengurus.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2018-25409",
"datePublished": "2026-05-30T14:55:16.382Z",
"dateReserved": "2026-05-30T12:26:46.782Z",
"dateUpdated": "2026-05-30T14:55:16.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2018-25410 (GCVE-0-2018-25410)
Vulnerability from cvelistv5 – Published: 2026-05-30 14:55 – Updated: 2026-05-30 14:55
VLAI
Title
SIM-PKH 2.4.1 SQL Injection via media.php id Parameter
Summary
SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to /admin/media.php with module=pengurus and act=editpengurus parameters containing SQL UNION statements to extract database information including usernames, database names, and version details.
Severity
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/45664 | exploit |
| https://simpkh.sourceforge.io/ | product |
| https://sourceforge.net/projects/simpkh/files/lat… | product |
| https://www.vulncheck.com/advisories/sim-pkh-sql-… | third-party-advisory |
Date Public
2018-10-22 00:00
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "SIM-PKH",
"vendor": "Simpkh",
"versions": [
{
"status": "affected",
"version": "2.4.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ihsan Sencan"
}
],
"datePublic": "2018-10-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the \u0027id\u0027 parameter. Attackers can send GET requests to /admin/media.php with module=pengurus and act=editpengurus parameters containing SQL UNION statements to extract database information including usernames, database names, and version details."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-30T14:55:17.141Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-45664",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/45664"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://simpkh.sourceforge.io/"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://sourceforge.net/projects/simpkh/files/latest/download"
},
{
"name": "VulnCheck Advisory: SIM-PKH 2.4.1 SQL Injection via media.php id Parameter",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/sim-pkh-sql-injection-via-media-php-id-parameter"
}
],
"title": "SIM-PKH 2.4.1 SQL Injection via media.php id Parameter",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2018-25410",
"datePublished": "2026-05-30T14:55:17.141Z",
"dateReserved": "2026-05-30T12:27:11.523Z",
"dateUpdated": "2026-05-30T14:55:17.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2018-25409 (GCVE-0-2018-25409)
Vulnerability from cvelistv5 – Published: 2026-05-30 14:55 – Updated: 2026-05-30 14:55
VLAI
Title
SIM-PKH 2.4.1 Arbitrary File Upload via aksi_pengurus.php
Summary
SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts.
Severity
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/45659 | exploit |
| https://simpkh.sourceforge.io/ | product |
| https://sourceforge.net/projects/simpkh/files/lat… | product |
| https://www.vulncheck.com/advisories/sim-pkh-arbi… | third-party-advisory |
Date Public
2018-10-22 00:00
Credits
{
"containers": {
"cna": {
"affected": [
{
"product": "SIM-PKH",
"vendor": "Simpkh",
"versions": [
{
"status": "affected",
"version": "2.4.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ihsan Sencan"
}
],
"datePublic": "2018-10-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-30T14:55:16.382Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-45659",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/45659"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://simpkh.sourceforge.io/"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://sourceforge.net/projects/simpkh/files/latest/download"
},
{
"name": "VulnCheck Advisory: SIM-PKH 2.4.1 Arbitrary File Upload via aksi_pengurus.php",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/sim-pkh-arbitrary-file-upload-via-aksi-pengurus-php"
}
],
"title": "SIM-PKH 2.4.1 Arbitrary File Upload via aksi_pengurus.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2018-25409",
"datePublished": "2026-05-30T14:55:16.382Z",
"dateReserved": "2026-05-30T12:26:46.782Z",
"dateUpdated": "2026-05-30T14:55:16.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}