31 matches found
CVE-2025-64065
The Primakon Pi Portal 1.0.18 API /api/V2/ppudfvadmin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH...
CVE-2025-64064
Primakon Pi Portal 1.0.18 /api/v2/ppusers endpoint fails to adequately check user permissions before processing a PATCH request to modify the PPSECURITYPROFILEID. Because of weak access controls any low level user can use this API and change their permission to Administrator by using...
EUVD-2025-199636
Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data e.g., user profiles, project records fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This...
CVE-2025-64067
Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data e.g., user profiles, project records fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This...
CVE-2025-64063
Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specifically, a standard user can exploit this flaw by sending direct HTTP requests to administrative endpoints, bypassing the UI restrictions. This allows the attacker to manipulate...
CVE-2025-64064
Primakon Pi Portal 1.0.18 /api/v2/ppusers endpoint fails to adequately check user permissions before processing a PATCH request to modify the PPSECURITYPROFILEID. Because of weak access controls any low level user can use this API and change their permission to Administrator by using...
CVE-2025-64067
Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data e.g., user profiles, project records fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This...
CVE-2025-64065
The Primakon Pi Portal 1.0.18 API /api/V2/ppudfvadmin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH...
CVE-2025-64062
The Primakon Pi Portal 1.0.18 /api/V2/ppusers?email endpoint is used for user data filtering but lacks proper server-side validation against the authenticated session. By manipulating the email parameter to an arbitrary value e.g., [email protected], an attacker can assume the session and gain...
CVE-2025-64061
Primakon Pi Portal 1.0.18 /api/v2/users endpoint is vulnerable to unauthorized data exposure due to deficient access control mechanisms. Any authenticated user, regardless of their privilege level including standard or low-privileged users, can make a GET request to this endpoint and retrieve a...
Primakon Pi Portal 安全漏洞
Primakon Pi Portal is a project, contract management platform from Primakon Croatia. A security vulnerability exists in Primakon Pi Portal version 1.0.18, which stems from insufficient checking of permissions in the /api/v2/ppusers endpoint, which could lead to elevated privileges...
Primakon Pi Portal 安全漏洞
Primakon Pi Portal is a project, contract management platform from Primakon Croatia. A security vulnerability exists in Primakon Pi Portal version 1.0.18, which stems from insufficient authorization checking of API endpoints and could lead to unauthorized data manipulation and elevation of...
Primakon Pi Portal 安全漏洞
Primakon Pi Portal is a project, contract management platform from Primakon Croatia. A security vulnerability exists in Primakon Pi Portal version 1.0.18, which stems from insufficient authentication of the /api/V2/ppudfvadmin endpoint and could lead to user impersonation...
CVE-2025-64067
Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data e.g., user profiles, project records fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This...
CVE-2025-64061
Primakon Pi Portal 1.0.18 /api/v2/users endpoint is vulnerable to unauthorized data exposure due to deficient access control mechanisms. Any authenticated user, regardless of their privilege level including standard or low-privileged users, can make a GET request to this endpoint and retrieve a...
CVE-2025-64066
The CVE-2025-64066 entry concerns Primakon Pi Portal 1.0.18. The /api/v2/user/register endpoint is missing authorization checks, allowing unauthenticated POST requests to create local user accounts. This breaks the intended security model that relies on an external Identity Provider for initial r...
Primakon Pi Portal 安全漏洞
Primakon Pi Portal is a project, contract management platform from Primakon Croatia. A security vulnerability exists in Primakon Pi Portal version 1.0.18, which stems from a lack of authorization checking in the /api/v2/user/register endpoint, which could lead to unauthorized user registration...
Primakon Pi Portal 安全漏洞
Primakon Pi Portal is a project, contract management platform from Primakon Croatia. A security vulnerability exists in Primakon Pi Portal version 1.0.18, which stems from a lack of session authentication in the /api/V2/ppusers?email endpoint, which could lead to elevated privileges...
CVE-2025-64063
Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specifically, a standard user can exploit this flaw by sending direct HTTP requests to administrative endpoints, bypassing the UI restrictions. This allows the attacker to manipulate...
Primakon Pi Portal 安全漏洞
Primakon Pi Portal is a project, contract management platform from Primakon Croatia. A security vulnerability exists in Primakon Pi Portal version 1.0.18, which stems from insufficient access control in the /api/v2/users endpoint and could lead to unauthorized data disclosure...