Vulnerability Description
Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specifically, a standard user can exploit this flaw by sending direct HTTP requests to administrative endpoints, bypassing the UI restrictions. This allows the attacker to manipulate data outside their assigned scope, including: Unauthorized Account modification, modifying/deleting arbitrary user accounts and changing passwords by sending a direct request to the user management API endpoint; Confidential Data Access, accessing and downloading sensitive organizational documents via a direct request to the document retrieval API; Privilege escalation, This vulnerability can lead to complete compromise of data integrity and confidentiality, and Privilege Escalation by manipulating core system functions.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Primakon | Project Contract Management | 1.0.18 |
Related Weaknesses (CWE)
References
- https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64063.mdThird Party Advisory
- https://www.primakon.com/rjesenja/primakon-pcm/Product
FAQ
What is CVE-2025-64063?
CVE-2025-64063 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specifically, a standard user can exploit this flaw by sending direct HTTP requests to...
How severe is CVE-2025-64063?
CVE-2025-64063 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-64063?
Check the references section above for vendor advisories and patch information. Affected products include: Primakon Project Contract Management.