CVE-2025-64062

HIGH

Primakon Pi Portal 1.0.18 - Authenticated Privilege Escalation via Email Parameter Manipulation

Title source: llm

Description

The Primakon Pi Portal 1.0.18 /api/V2/pp_users?email endpoint is used for user data filtering but lacks proper server-side validation against the authenticated session. By manipulating the email parameter to an arbitrary value (e.g., [email protected]), an attacker can assume the session and gain full access to the target user's data and privileges. Also, if the email parameter is left blank, the application defaults to the first user in the list, who is typically the application administrator, resulting in an immediate Privilege Escalation to the highest level.

References (2)

Core 2

Core References

Third Party Advisory

https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64062.md

View Writeup ZIP pw:eip

Product

https://www.primakon.com/rjesenja/primakon-pcm/

Scores

CVSS v3 8.8

EPSS 0.0025

EPSS Percentile 15.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-285

Status published

Products (1)

primakon/project_contract_management 1.0.18

Published Nov 25, 2025

Tracked Since Feb 18, 2026