rimakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data (e.g., user profiles, project records) fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This vulnerability can be exploited in two ways: Direct ID manipulation and IDOR, by changing an ID parameter (e.g., user_id, project_id) in the request, an attacker can access the object and data belonging to another user; and filter Omission, by omitting the filtering parameter entirely, an attacker can cause the endpoint to return an entire unfiltered dataset of all stored records for all users. This flaw leads to the unauthorized exposure of sensitive personal and organizational information.
| Link | Resource |
|---|---|
| https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64067.md | Third Party Advisory |
| https://www.primakon.com/rjesenja/primakon-pcm/ | Product |
01 Dec 2025, 14:22
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:primakon:project_contract_management:1.0.18:*:*:*:*:*:*:* | |
| First Time |
Primakon
Primakon project Contract Management |
|
| References | () https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64067.md - Third Party Advisory | |
| References | () https://www.primakon.com/rjesenja/primakon-pcm/ - Product |
25 Nov 2025, 21:15
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-639 | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.3 |
25 Nov 2025, 19:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Published : 2025-11-25 19:15
Updated : 2025-12-01 14:22
NVD link : CVE-2025-64067
Mitre link : CVE-2025-64067
CVE.ORG link : CVE-2025-64067
JSON object : View
Authorization Bypass Through User-Controlled Key