CVE-2025-64067

Name of the Vulnerable Software and Affected Versions Primakon Pi Portal version 1.0.18

Description API endpoints responsible for retrieving object-specific or filtered data, such as user profiles and project records, do not adequately validate server-side authorization. This allows unauthorized access to objects and data belonging to other users through direct ID manipulation and filter omission. Specifically, modifying the user id or project id parameter in a request can grant access to another user's data. Omitting a filtering parameter can result in the return of an unfiltered dataset containing records for all users. This leads to the exposure of sensitive personal and organizational information.

Recommendations Implement robust server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. Ensure that all API endpoints properly enforce access controls based on user roles and permissions. Implement proper filtering mechanisms to prevent the retrieval of unfiltered datasets.