216.73.217.176

CVE-2025-64066

· Published 25/11/2025 18:15 · Modified 01/12/2025 14:19

Labels: CVE-2025-64066 2025-11-25CVE-2025-64066CWE-284[email protected]

Essential information

Published
25/11/2025 18:15
Modified
01/12/2025 14:19
Author
Creator
CVSS
8.6 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

CVSS metrics

Description

Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The endpoint fails to implement any authorization checks, allowing unauthenticated attackers to perform POST requests to register new user accounts in the application's local database. This bypasses the intended security architecture, which relies on an external Identity Provider for initial user registration and assumes that internal user creation is an administrative-only function. This vector can also be chained with other vulnerabilities for privilege escalation and complete compromise of application. This specific request can be used to also enumerate already registered user accounts, aiding in social engineering or further targeted attacks.

NVD status

Status
Analyzed — CVE has had analysis completed and all data associations made.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
primakon / project contract management cpe:2.3:a:primakon:project_contract_management:1.0.18:*:*:*:*:*:*:*

References