Description

Primakon Pi Portal 1.0.18 /api/v2/pp_users endpoint fails to adequately check user permissions before processing a PATCH request to modify the PP_SECURITY_PROFILE_ID. Because of weak access controls any low level user can use this API and change their permission to Administrator by using PP_SECURITY_PROFILE_ID=2 inside body of request and escalate privileges.

INFO

Published Date :

2025-11-25T00:00:00.000Z

Last Modified :

2025-11-25T20:35:12.049Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-64064 vulnerability.

Vendors Products
Primakon
  • Pi Portal
  • Project Contract Management
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-64064.

URL Resource
https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64064.md cve-icon cve-icon
https://www.primakon.com/rjesenja/primakon-pcm/ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact