{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2018-25409", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-05-30T12:26:46.782Z", "datePublished": "2026-05-30T14:55:16.382Z", "dateUpdated": "2026-06-01T15:25:28.271Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-30T14:55:16.382Z" }, "datePublic": "2018-10-22T00:00:00.000Z", "title": "SIM-PKH 2.4.1 Arbitrary File Upload via aksi_pengurus.php", "descriptions": [ { "lang": "en", "value": "SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts." } ], "problemTypes": [ { "descriptions": [ { "lang": "en", "description": "Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE" } ] } ], "affected": [ { "vendor": "Simpkh", "product": "SIM-PKH", "versions": [ { "version": "2.4.1", "status": "affected" } ] } ], "metrics": [ { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS" }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS" } ], "references": [ { "url": "https://www.exploit-db.com/exploits/45659", "name": "ExploitDB-45659", "tags": [ "exploit" ] }, { "url": "https://simpkh.sourceforge.io/", "name": "Official Product Homepage", "tags": [ "product" ] }, { "url": "https://sourceforge.net/projects/simpkh/files/latest/download", "name": "Product Reference", "tags": [ "product" ] }, { "name": "VulnCheck Advisory: SIM-PKH 2.4.1 Arbitrary File Upload via aksi_pengurus.php", "tags": [ "third-party-advisory" ], "url": "https://www.vulncheck.com/advisories/sim-pkh-arbitrary-file-upload-via-aksi-pengurus-php" } ], "credits": [ { "lang": "en", "value": "Ihsan Sencan", "type": "finder" } ], "x_generator": { "engine": "vulncheck" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-06-01T15:19:03.133163Z", "id": "CVE-2018-25409", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-01T15:25:28.271Z" } } ] } }