Description
HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Attackers can craft malicious forms targeting the aksi_user.php script with parameters like id_user, password, and level to modify admin credentials without authentication.
Published: 2026-05-29
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HaPe PKH 1.1 contains a CSRF vulnerability (CWE‑352) that permits an attacker to modify administrator credentials by sending forged requests to the aksi_user.php endpoint. The flaw allows supply of parameters such as id_user, password, and level without requiring any authentication, thereby enabling attackers to reset admin passwords and gain privileged access. The vulnerability directly compromises confidentiality and integrity of privileged accounts.

Affected Systems

The affected product is HaPe PKH version 1.1 from the Sitejo vendor. No additional versions are listed as vulnerable.

Risk and Exploitability

The CVSS score of 6.9 classifies the flaw as medium severity, and the EPSS score is unavailable but indicates no known high exploitation probability. Because the attack relies on a forged HTTP request, any user who can load a malicious page on the same domain (or whose browser can be induced to send the request) can exploit it. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited, though the potential impact of granting administrator access remains significant.

Generated by OpenCVE AI on May 29, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑published security update for HaPe PKH 1.1 or upgrade to a patched version
  • Configure the aksi_user.php script to require valid administrator authentication and role checks before processing any password changes
  • Implement robust CSRF protection, such as including per‑session tokens or validating the Origin header, to prevent forged requests

Generated by OpenCVE AI on May 29, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Attackers can craft malicious forms targeting the aksi_user.php script with parameters like id_user, password, and level to modify admin credentials without authentication.
Title HaPe PKH 1.1 Cross-Site Request Forgery via aksi_user.php
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T14:46:31.802Z

Reserved: 2026-05-29T11:16:38.154Z

Link: CVE-2018-25387

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-29T16:16:17.853

Modified: 2026-05-29T16:29:11.350

Link: CVE-2018-25387

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T17:30:04Z

Weaknesses