CVE-2025-64066

Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The endpoint fails to implement any authorization checks, allowing unauthenticated attackers to perform POST requests to register new user accounts in the application's local database. This bypasses the intended security architecture, which relies on an external Identity Provider for initial user registration and assumes that internal user creation is an administrative-only function. This vector can also be chained with other vulnerabilities for privilege escalation and complete compromise of application. This specific request can be used to also enumerate already registered user accounts, aiding in social engineering or further targeted attacks.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64066.md	Third Party Advisory
https://www.primakon.com/rjesenja/primakon-pcm/	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:primakon:project_contract_management:1.0.18:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-11-25 18:15

Updated : 2025-12-01 14:19

NVD link : CVE-2025-64066

Mitre link : CVE-2025-64066

CVE.ORG link : CVE-2025-64066

JSON object : View

Products Affected

primakon

project_contract_management

CWE

CWE-284

Improper Access Control

8.6 /10