CVE-2025-64062
BaseFortify
Publication date: 2025-11-25
Last updated on: 2025-12-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| primakon | project_contract_management | 1.0.18 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Primakon Pi Portal 1.0.18 at the /api/V2/pp_users?email endpoint, which is intended for user data filtering. However, it lacks proper server-side validation to verify that the email parameter corresponds to the authenticated session. An attacker can manipulate the email parameter to impersonate another user and gain full access to that user's data and privileges. Additionally, if the email parameter is left blank, the system defaults to the first user in the list, usually the administrator, allowing immediate privilege escalation to the highest level.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to assume the identity of any user by manipulating the email parameter, leading to unauthorized access to sensitive user data and privileges. If exploited, it can result in privilege escalation to administrator level, potentially compromising the entire application and its data.