CVE-2025-64066
BaseFortify
Publication date: 2025-11-25
Last updated on: 2025-12-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| primakon | project_contract_management | 1.0.18 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Primakon Pi Portal 1.0.18 is a Broken Access Control issue in the REST /api/v2/user/register endpoint. This endpoint does not perform any authorization checks, allowing unauthenticated attackers to create new user accounts directly in the application's local database. This bypasses the intended security model, which expects user registration to be handled only through an external Identity Provider and restricts internal user creation to administrators. Additionally, attackers can use this flaw to enumerate existing user accounts, facilitating social engineering or further attacks.
How can this vulnerability impact me? :
This vulnerability can allow attackers to register unauthorized user accounts, bypassing security controls. It can be chained with other vulnerabilities to escalate privileges and potentially fully compromise the application. The ability to enumerate existing users also aids attackers in targeted social engineering or further exploitation, increasing the risk to the application's security and user data.