CVE-2018-25409 PUBLISHED

SIM-PKH 2.4.1 Arbitrary File Upload via aksi_pengurus.php

Assigner: VulnCheck
Reserved: 30.05.2026 Published: 30.05.2026 Updated: 30.05.2026

SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor Simpkh
Product SIM-PKH
Versions
  • Version 2.4.1 is affected

Credits

  • Ihsan Sencan finder

References

Problem Types

  • Unrestricted Upload of File with Dangerous Type CWE