CVE-2025-64063 - Broken function level authorization on multiple API endpoints Vulnerability Description Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specifically, a low-level user can exploit this flaw by sending direct HTTP requests to administrative endpoints, bypassing the UI restrictions. This allows the attacker to manipulate data outside their assigned scope, including: 1. Unauthorized Account Modification - modifying/deleting arbitrary user accounts and changing passwords by sending a direct request to the user management API endpoint. 2. Confidential Data Access - accessing and downloading sensitive organizational documents via a direct request to the document retrieval API. 3. Privilege Escalation.