CVE-2025-64064

High CVSS: 8.8

Primakon Pi Portal 1.0.18 /api/v2/pp_users endpoint fails to adequately check user permissions before processing a PATCH request to modify the PP_SECURITY_PROFILE_ID. Because of weak access controls any low level user can use this API and change their permission to Administrator by using PP_SECURITY_PROFILE_ID=2 inside body of request and escalate privileges.

Vendor

Primakon

Product

Project Contract Management

CWE

CWE-284

Yayın Tarihi

2025-11-25 19:15:50

Güncelleme

2025-12-01 14:22:20

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-284 Project Contract Management HIGH Primakon 2025

Referanslar

https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64064.md https://www.primakon.com/rjesenja/primakon-pcm/

Benzer Kayıtlar

Critical

CVE-2025-64063

Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specif…

High

CVE-2025-64065

The Primakon Pi Portal 1.0.18 API /api/V2/pp_udfv_admin endpoint, fails to perform necessary server-side validation. The…

Medium

CVE-2025-64067

Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data (e.g., user profiles…

High

CVE-2025-64066

Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The en…

High

CVE-2025-64062

The Primakon Pi Portal 1.0.18 /api/V2/pp_users?email endpoint is used for user data filtering but lacks proper server-si…

Medium

CVE-2025-64061

Primakon Pi Portal 1.0.18 /api/v2/users endpoint is vulnerable to unauthorized data exposure due to deficient access con…