CVE-2018-25410 in SIM-PKH
Summary
by MITRE • 05/30/2026
SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to /admin/media.php with module=pengurus and act=editpengurus parameters containing SQL UNION statements to extract database information including usernames, database names, and version details.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/31/2026
The SIM-PKH 2.4.1 web application contains a critical sql injection vulnerability that compromises the integrity of the underlying database system. This vulnerability exists within the administrative interface where the application fails to properly sanitize user input passed through the 'id' parameter. The flaw allows authenticated attackers to manipulate the application's database queries by injecting malicious sql code, thereby bypassing normal authentication and authorization mechanisms. The vulnerability specifically manifests when processing requests to the /admin/media.php endpoint with module=pengurus and act=editpengurus parameters, creating a direct pathway for database exploitation.
The technical implementation of this vulnerability stems from improper input validation and parameter handling within the application's backend processing logic. When an authenticated user submits a request containing malicious sql code through the id parameter, the application directly incorporates this input into sql query construction without adequate sanitization or parameterization. This primitive approach to sql query building creates a condition where attackers can inject sql UNION statements to extract sensitive information from the database. The vulnerability is particularly dangerous because it operates within the administrative context, providing attackers with elevated privileges and access to critical system information.
The operational impact of this vulnerability extends beyond simple data exfiltration, as it enables comprehensive database reconnaissance and potential system compromise. Attackers can leverage the sql injection to extract usernames, database names, and version details, which provides them with crucial intelligence for further attacks. The extracted information can include administrative credentials, database schema structures, and system version information that can be used to identify additional vulnerabilities or craft more sophisticated attack vectors. This reconnaissance capability significantly amplifies the potential damage, as it enables attackers to tailor their approach based on the specific database configuration and application architecture.
Security professionals should implement multiple layers of defense to mitigate this vulnerability. The primary remediation involves implementing proper input validation and parameterized queries throughout the application's codebase, specifically addressing the handling of user-supplied parameters in the administrative interface. The application should enforce strict sanitization of all input data and utilize prepared statements or parameterized queries to prevent sql injection attacks. Additionally, implementing proper access controls and monitoring mechanisms can help detect anomalous database access patterns that may indicate exploitation attempts. Organizations should also consider implementing web application firewalls and database activity monitoring solutions to provide additional protection layers. This vulnerability aligns with CWE-89 sql injection and can be categorized under ATT&CK technique T1190 for exploitation of remote services, emphasizing the need for comprehensive security controls across multiple attack surface areas.