CVE-2025-64065
BaseFortify
Publication date: 2025-11-25
Last updated on: 2025-12-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| primakon | project_contract_management | 1.0.18 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Primakon Pi Portal 1.0.18 API at the /api/V2/pp_udfv_admin endpoint. It fails to perform necessary server-side validation for the administrative LoginAs or user impersonation feature. As a result, any authenticated low-privileged user can send a direct PATCH request to impersonate any other user, including administrators, without needing the target user's password or an administrative token. This is caused by a Broken Function Level Authorization failure and an insecure design that allows session switching based only on the target user's email.
How can this vulnerability impact me? :
This vulnerability can allow low-privileged users to impersonate higher-privileged users, including administrators, which can lead to unauthorized access to sensitive data, modification of system settings, and potentially full control over the application. This can compromise the security and integrity of the system and its data.