PT-2025-48072 · Primakon · Primakon Pi Portal
Published
2025-11-25
·
Updated
2025-12-01
·
CVE-2025-64064
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Primakon Pi Portal version 1.0.18
Description
The
/api/v2/pp users endpoint in Primakon Pi Portal does not properly verify user permissions when handling PATCH requests to modify the PP SECURITY PROFILE ID. This allows a low-level user to escalate privileges to Administrator by setting PP SECURITY PROFILE ID to 2 within the request body. The vulnerable parameter is PP SECURITY PROFILE ID.Recommendations
Apply access controls to the
/api/v2/pp users endpoint to ensure proper permission checks before processing PATCH requests to modify the PP SECURITY PROFILE ID.Exploit
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Primakon Pi Portal