CVE-2025-64065

The Primakon Pi Portal 1.0.18 API /api/V2/pp_udfv_admin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH request, enabling them to impersonate any other arbitrary user, including application Administrators. This is due to a Broken Function Level Authorization failure (the function doesn't check the caller's privilege) compounded by an Insecure Design that permits a session switch without requiring the target user's password or an administrative token and only needs email of user.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64065.md	Third Party Advisory
https://www.primakon.com/rjesenja/primakon-pcm/	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:primakon:project_contract_management:1.0.18:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-11-25 19:15

Updated : 2025-12-01 14:22

NVD link : CVE-2025-64065

Mitre link : CVE-2025-64065

CVE.ORG link : CVE-2025-64065

JSON object : View

Products Affected

primakon

project_contract_management

CWE

CWE-285

Improper Authorization

8.8 /10