CVE-2018-25410

Name of the Vulnerable Software and Affected Versions SIM-PKH version 2.4.1

Description Authenticated attackers can execute arbitrary SQL queries by injecting malicious code through the id parameter. This is achieved by sending GET requests to the '/admin/media.php' endpoint with the module parameter set to 'pengurus' and the act parameter set to 'editpengurus'. The use of SQL UNION statements allows for the extraction of database information, including usernames, database names, and version details.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.