HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to delete arbitrary records by sending a crafte…

CVE-2018-25391 affects HaPe PKH version 1.1, a vulnerability that allows unauthenticated attackers to delete arbitrary records without proper authorization checks. The flaw exists in two specific endpoints: admin/modul/mod_pengurus/aksi_pengurus.php and admin/modul/mod_update/aksi_update.php. Attackers can exploit this by sending crafted requests with target record IDs to delete administrator and update records. The vulnerability represents a critical authorization bypass that could lead to data loss and system compromise. No authentication is required to exploit this flaw, making it particularly dangerous for exposed systems.