216.73.216.6

CVE-2025-64065

· Published 25/11/2025 19:15 · Modified 01/12/2025 14:22

Labels: CVE-2025-64065 2025-11-25CVE-2025-64065CWE-285[email protected]

Essential information

Published
25/11/2025 19:15
Modified
01/12/2025 14:22
Author
Creator
CVSS
8.8 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

The Primakon Pi Portal 1.0.18 API /api/V2/pp_udfv_admin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH request, enabling them to impersonate any other arbitrary user, including application Administrators. This is due to a Broken Function Level Authorization failure (the function doesn't check the caller's privilege) compounded by an Insecure Design that permits a session switch without requiring the target user's password or an administrative token and only needs email of user.

NVD status

Status
Analyzed — CVE has had analysis completed and all data associations made.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
primakon / project contract management cpe:2.3:a:primakon:project_contract_management:1.0.18:*:*:*:*:*:*:*

References