Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data (e.g., user profiles, project records) fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This vulnerability can be exploited in two ways: Direct ID manipulation and IDOR, by changing an ID parameter (e.g., user_id, project_id) in the request, an attacker can access the object and data belonging to another user; and filter Omission, by omitting the filtering parameter entirely, an attacker can cause the endpoint to return an entire unfiltered dataset of all stored records for all users. This flaw leads to the unauthorized exposure of sensitive personal and organizational information.

CVE Database V5

Detailed information about CVE-2025-64067: n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2025-64067: n/a - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-64067: n/a

An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file.

Detailed information about CVE-2025-61168: n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2025-61168: n/a - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-61168: n/a

CVE-2025-64065 is a critical access control vulnerability in the Primakon Pi Portal 1. 0. 18 API, specifically in the /api/V2/pp_udfv_admin endpoint. It allows any authenticated low-privileged user to impersonate any other user, including administrators, by sending a crafted PATCH request with only the target user's email. This flaw arises from broken function level authorization and insecure design that does not require the target user's password or an administrative token for session switching. Exploitation can lead to full administrative control over the application without proper privileges. No public exploits are known yet, but the vulnerability poses a severe risk to confidentiality, integrity, and availability. European organizations using this product are at high risk, especially those in critical infrastructure or sectors with sensitive data. Immediate mitigation involves restricting access to the vulnerable endpoint, implementing strict server-side authorization checks, and monitoring for suspicious impersonation attempts. Countries with higher adoption of Primakon Pi Portal or strategic sectors relying on it are most likely affected.

CVE-2025-64065 identifies a severe security vulnerability in the Primakon Pi Portal version 1.0.18, specifically targeting the API endpoint /api/V2/pp_udfv_admin. The vulnerability stems from a broken function level authorization mechanism combined with insecure design choices. The affected endpoint exposes a LoginAs or user impersonation feature that fails to validate the privileges of the caller properly. As a result, any authenticated user with low privileges can craft a direct PATCH HTTP request to impersonate any arbitrary user, including high-privilege administrators, by supplying only the target user's email address. This bypasses typical authentication requirements such as the target user's password or an administrative token, enabling unauthorized session switching. The lack of server-side validation means the system trusts the request without verifying if the requester has the right to perform impersonation. This flaw compromises the confidentiality and integrity of user accounts and can lead to full administrative control over the application, allowing attackers to manipulate data, escalate privileges, and disrupt services. Although no known exploits are currently reported in the wild, the vulnerability's nature and ease of exploitation make it a significant threat. The absence of a CVSS score necessitates an expert severity assessment, which rates this vulnerability as critical due to its potential impact and exploitation simplicity. The vulnerability affects all deployments of Primakon Pi Portal 1.0.18 and possibly earlier versions if they share the same codebase. Organizations relying on this portal for administrative tasks or user management must urgently address this issue to prevent unauthorized access and potential data breaches.

Detailed information about CVE-2025-64065: n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2025-64065: n/a - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-64065: n/a

Primakon Pi Portal 1.0.18 /api/v2/pp_users endpoint fails to adequately check user permissions before processing a PATCH request to modify the PP_SECURITY_PROFILE_ID. Because of weak access controls any low level user can use this API and change their permission to Administrator by using PP_SECURITY_PROFILE_ID=2 inside body of request and escalate privileges.

Detailed information about CVE-2025-64064: n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2025-64064: n/a - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-64064: n/a

SIGB PMB v8.0.1.14 was discovered to contain multiple SQL injection vulnerabilities in the /opac_css/ajax_selector.php component via the id and datas parameters.

Detailed information about CVE-2025-61167: n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2025-61167: n/a

CVE-2025-61167: n/a

Description

Technical Details

Community Reviews

Related Threats

CVE-2025-64067: n/a

CVE-2025-61168: n/a

CVE-2025-64065: n/a

CVE-2025-64064: n/a

CVE-2025-64063: n/a

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility