CVE-2018-25409

high

Description

SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts.

References

https://www.vulncheck.com/advisories/sim-pkh-arbitrary-file-upload-via-aksi-pengurus-php

https://www.exploit-db.com/exploits/45659

https://sourceforge.net/projects/simpkh/files/latest/download

https://simpkh.sourceforge.io/

Details

Source: Mitre, NVD

Published: 2026-05-30

Updated: 2026-05-30

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.8

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

CVSS v4

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Severity: High