CVE-2025-64062

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Primakon Pi Portal version 1.0.18

Description The /api/V2/pp users?email endpoint lacks proper server-side validation against the authenticated session. Manipulating the email parameter to an arbitrary value, such as otheruser@user.com, allows an attacker to assume a session and gain full access to the target user's data and privileges. Leaving the email parameter blank defaults the application to the first user in the list, typically the application administrator, resulting in privilege escalation.

Recommendations Primakon Pi Portal version 1.0.18: Implement robust server-side validation for the email parameter in the /api/V2/pp users?email endpoint to ensure it corresponds to the authenticated session.

Exploit

Fix

LPE

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285

Related Identifiers

CVE-2025-64062

Affected Products

Primakon Pi Portal

CVE-2025-64062

Weakness Enumeration

Related Identifiers

Affected Products

References · 7