What is GHSA-jv33-m8x5-6599?

GHSA-jv33-m8x5-6599 is a security advisory published by GitHub Security Advisories with High severity. HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints, allowing...

Which CVE IDs does GHSA-jv33-m8x5-6599 cover?

GHSA-jv33-m8x5-6599 covers the following CVE IDs: CVE-2018-25391. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-jv33-m8x5-6599?

GHSA-jv33-m8x5-6599 has a CVSS v3 base score of 7.5, published by GitHub Security Advisories.

GHSA-jv33-m8x5-6599HighCVSS 7.5

HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints, allowing...

Vendor

GitHub Security Advisories

Published

May 29, 2026

Last Modified

May 29, 2026

🔗 CVE IDs covered (1)

CVE-2018-25391 →

📋 Description

HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to delete arbitrary records by sending a crafted request that specifies the target record's id. The admin/modul/mod_pengurus/aksi_pengurus.php (module=pengurus&act=hapus) and admin/modul/mod_update/aksi_update.php (module=update&act=hapus) endpoints process deletions without verifying the requester's privileges, enabling removal of pengurus (administrator) and update records.

🔗 References (6)

https://nvd.nist.gov/vuln/detail/CVE-2018-25391
https://sourceforge.net/projects/hape-pkh/files/latest/download
https://www.exploit-db.com/exploits/45588
https://www.vulncheck.com/advisories/hape-pkh-missing-authorization-allows-unauthenticated-record-deletion
http://www.sitejo.id
https://github.com/advisories/GHSA-jv33-m8x5-6599