CVE-2025-64065

Name of the Vulnerable Software and Affected Versions Primakon Pi Portal version 1.0.18

Description The application’s /api/V2/pp udfv admin API endpoint does not adequately validate server-side requests. This allows authenticated users with low privileges to impersonate other users, including administrators, by sending a direct PATCH request. The issue stems from a broken function level authorization, where the function LoginAs does not verify the caller’s permissions, combined with an insecure design that allows session switching without requiring the target user’s password or an administrative token, only needing the user’s email address.

Recommendations Apply server-side validation to the /api/V2/pp udfv admin endpoint to ensure proper access control. Implement privilege checks within the LoginAs function to verify the caller’s authorization before allowing user impersonation. Secure the session switching mechanism to require appropriate authentication, such as the target user’s password or an administrative token.