CVE-2025-64062

High CVSS: 8.8

The Primakon Pi Portal 1.0.18 /api/V2/pp_users?email endpoint is used for user data filtering but lacks proper server-side validation against the authenticated session. By manipulating the email parameter to an arbitrary value (e.g., otheruser@user.com), an attacker can assume the session and gain full access to the target user's data and privileges. Also, if the email parameter is left blank, the application defaults to the first user in the list, who is typically the application administrator, resulting in an immediate Privilege Escalation to the highest level.

Vendor

Primakon

Product

Project Contract Management

CWE

CWE-285

Yayın Tarihi

2025-11-25 18:15:53

Güncelleme

2025-12-01 13:25:19

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-285 Project Contract Management HIGH Primakon 2025

Referanslar

https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64062.md https://www.primakon.com/rjesenja/primakon-pcm/

Benzer Kayıtlar

Critical

CVE-2025-64063

Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specif…

High

CVE-2025-64064

Primakon Pi Portal 1.0.18 /api/v2/pp_users endpoint fails to adequately check user permissions before processing a PATCH…

High

CVE-2025-64065

The Primakon Pi Portal 1.0.18 API /api/V2/pp_udfv_admin endpoint, fails to perform necessary server-side validation. The…

Medium

CVE-2025-64067

Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data (e.g., user profiles…

High

CVE-2025-64066

Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The en…

Medium

CVE-2025-64061

Primakon Pi Portal 1.0.18 /api/v2/users endpoint is vulnerable to unauthorized data exposure due to deficient access con…