CVE-2025-64063

Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specifically, a standard user can exploit this flaw by sending direct HTTP requests to administrative endpoints, bypassing the UI restrictions. This allows the attacker to manipulate data outside their assigned scope, including: Unauthorized Account modification, modifying/deleting arbitrary user accounts and changing passwords by sending a direct request to the user management API endpoint; Confidential Data Access, accessing and downloading sensitive organizational documents via a direct request to the document retrieval API; Privilege escalation, This vulnerability can lead to complete compromise of data integrity and confidentiality, and Privilege Escalation by manipulating core system functions.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64063.md	Third Party Advisory
https://www.primakon.com/rjesenja/primakon-pcm/	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:primakon:project_contract_management:1.0.18:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-11-25 19:15

Updated : 2025-12-01 14:22

NVD link : CVE-2025-64063

Mitre link : CVE-2025-64063

CVE.ORG link : CVE-2025-64063

JSON object : View

Products Affected

primakon

project_contract_management

CWE

CWE-285

Improper Authorization

9.8 /10