Primakon Project Contract Management vulnerabilities
7 known vulnerabilities affecting primakon/project_contract_management.
Total CVEs
7
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH4MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2025-64063P2CRITICALCVSS 9.8v1.0.182025-11-25
CVE-2025-64063 [CRITICAL] CWE-285 CVE-2025-64063: Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when process
Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specifically, a standard user can exploit this flaw by sending direct HTTP requests to administrative endpoints, bypassing the UI restrictions. This allows the attacker to manipulate data outside their assigned scope, including: Unauth
nvd
CVE-2025-64065P2HIGHCVSS 8.8v1.0.182025-11-25
CVE-2025-64065 [HIGH] CWE-285 CVE-2025-64065: The Primakon Pi Portal 1.0.18 API /api/V2/pp_udfv_admin endpoint, fails to perform necessary server-
The Primakon Pi Portal 1.0.18 API /api/V2/pp_udfv_admin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH request, enabling them to impersonate any other arbitra
nvd
CVE-2025-64062P3HIGHCVSS 8.8v1.0.182025-11-25
CVE-2025-64062 [HIGH] CWE-285 CVE-2025-64062: The Primakon Pi Portal 1.0.18 /api/V2/pp_users?email endpoint is used for user data filtering but la
The Primakon Pi Portal 1.0.18 /api/V2/pp_users?email endpoint is used for user data filtering but lacks proper server-side validation against the authenticated session. By manipulating the email parameter to an arbitrary value (e.g., [email protected]), an attacker can assume the session and gain full access to the target user's data and privileges.
nvd
CVE-2025-64064P3HIGHCVSS 8.8v1.0.182025-11-25
CVE-2025-64064 [HIGH] CWE-284 CVE-2025-64064: Primakon Pi Portal 1.0.18 /api/v2/pp_users endpoint fails to adequately check user permissions befor
Primakon Pi Portal 1.0.18 /api/v2/pp_users endpoint fails to adequately check user permissions before processing a PATCH request to modify the PP_SECURITY_PROFILE_ID. Because of weak access controls any low level user can use this API and change their permission to Administrator by using PP_SECURITY_PROFILE_ID=2 inside body of request and escalate pri
nvd
CVE-2025-64066P3HIGHCVSS 8.6v1.0.182025-11-25
CVE-2025-64066 [HIGH] CWE-284 CVE-2025-64066: Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control v
Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The endpoint fails to implement any authorization checks, allowing unauthenticated attackers to perform POST requests to register new user accounts in the application's local database. This bypasses the intended security architecture, whic
nvd
CVE-2025-64067P4MEDIUMCVSS 5.3v1.0.182025-11-25
CVE-2025-64067 [MEDIUM] CWE-639 CVE-2025-64067: Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data
Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data (e.g., user profiles, project records) fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This vulnerability can be exploited in two ways: Direct ID manipulat
nvd
CVE-2025-64061P4MEDIUMCVSS 4.3v1.0.182025-11-25
CVE-2025-64061 [MEDIUM] CWE-497 CVE-2025-64061: Primakon Pi Portal 1.0.18 /api/v2/users endpoint is vulnerable to unauthorized data exposure due to
Primakon Pi Portal 1.0.18 /api/v2/users endpoint is vulnerable to unauthorized data exposure due to deficient access control mechanisms. Any authenticated user, regardless of their privilege level (including standard or low-privileged users), can make a GET request to this endpoint and retrieve a complete, unfiltered list of all registered applicatio
nvd