CVE-2025-64061

Medium CVSS: 4.3

Primakon Pi Portal 1.0.18 /api/v2/users endpoint is vulnerable to unauthorized data exposure due to deficient access control mechanisms. Any authenticated user, regardless of their privilege level (including standard or low-privileged users), can make a GET request to this endpoint and retrieve a complete, unfiltered list of all registered application users. Crucially, the API response body for this endpoint includes password hashes.

Vendor

Primakon

Product

Project Contract Management

CWE

CWE-497

Yayın Tarihi

2025-11-25 17:15:50

Güncelleme

2025-12-01 14:43:55

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-497 Project Contract Management MEDIUM Primakon 2025

Referanslar

https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64061.md https://www.primakon.com/rjesenja/primakon-pcm/

Benzer Kayıtlar

Critical

CVE-2025-64063

Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specif…

High

CVE-2025-64064

Primakon Pi Portal 1.0.18 /api/v2/pp_users endpoint fails to adequately check user permissions before processing a PATCH…

High

CVE-2025-64065

The Primakon Pi Portal 1.0.18 API /api/V2/pp_udfv_admin endpoint, fails to perform necessary server-side validation. The…

Medium

CVE-2025-64067

Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data (e.g., user profiles…

High

CVE-2025-64066

Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The en…

High

CVE-2025-64062

The Primakon Pi Portal 1.0.18 /api/V2/pp_users?email endpoint is used for user data filtering but lacks proper server-si…