Description
HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to delete arbitrary records by sending a crafted request that specifies the target record's id. The admin/modul/mod_pengurus/aksi_pengurus.php (module=pengurus&act=hapus) and admin/modul/mod_update/aksi_update.php (module=update&act=hapus) endpoints process deletions without verifying the requester's privileges, enabling removal of pengurus (administrator) and update records.
Published: 2026-05-29
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HaPe PKH 1.1 does not enforce authorization on its delete endpoints, allowing an unauthenticated attacker to submit a request that specifies any record ID and cause that record to be removed. The missing check applies to the deletion routes for administrator accounts and update records, which can result in the loss of critical data or the removal of privileged user accounts, thus compromising confidentiality and integrity of the application data.

Affected Systems

The affected product is HaPe PKH version 1.1 from Sitejo. The vulnerability is present in the module handling pengurus (administrator) deletions and the update records deletion endpoint; no other versions or implementations are listed.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. No EPSS score is available, but the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit it by sending a crafted HTTP request to the exposed delete URLs without any authentication, so the attack vector is web-based and requires that the endpoints are reachable from the attacker’s network.

Generated by OpenCVE AI on May 29, 2026 at 17:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update HaPe PKH to the latest release that implements authorization checks on the deletion endpoints.
  • Configure the web server or application firewall to block unauthenticated access to /admin/modul/mod_pengurus/aksi_pengurus.php and /admin/modul/mod_update/aksi_update.php.
  • If a patch is unavailable, temporarily disable or remove the deletion endpoints until the application is updated or additional authentication checks are added.

Generated by OpenCVE AI on May 29, 2026 at 17:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to delete arbitrary records by sending a crafted request that specifies the target record's id. The admin/modul/mod_pengurus/aksi_pengurus.php (module=pengurus&act=hapus) and admin/modul/mod_update/aksi_update.php (module=update&act=hapus) endpoints process deletions without verifying the requester's privileges, enabling removal of pengurus (administrator) and update records.
Title HaPe PKH 1.1 Missing Authorization Allows Unauthenticated Record Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T19:25:37.368Z

Reserved: 2026-05-29T11:24:03.699Z

Link: CVE-2018-25391

cve-icon Vulnrichment

Updated: 2026-05-29T19:25:30.580Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T16:16:18.380

Modified: 2026-05-29T16:29:11.350

Link: CVE-2018-25391

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T17:45:04Z

Weaknesses