CVE-2025-62523 — MEDIUM (6.3)

Q: How severe is CVE-2025-62523?

CVE-2025-62523 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2025-62523?

Check the references section above for vendor advisories and patch information. Affected products include: Thm Pilos.

Vulnerability Description

PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. PILOS before 4.8.0 includes a Cross-Origin Resource Sharing (CORS) misconfiguration in its middleware: it reflects the Origin request header back in the Access-Control-Allow-Origin response header without proper validation or a whitelist, while Access-Control-Allow-Credentials is set to true. This behavior could allow a malicious website on a different origin to send requests (including credentials) to the PILOS API. This may enable exfiltration or actions using the victim’s credentials if the server accepts those cross-origin requests as authenticated. Laravel’s session handling applies additional origin checks such that cross-origin requests are not authenticated by default. Because of these session-origin protections, and in the absence of any other unknown vulnerabilities that would bypass Laravel’s origin/session checks, this reflected-Origin CORS misconfiguration is not believed to be exploitable in typical PILOS deployments. This vulnerability has been patched in PILOS in v4.8.0

CVSS Score

6.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Thm	Pilos	< 4.8.0

Related Weaknesses (CWE)

CWE-942

References

https://github.com/THM-Health/PILOS/commit/14655bc4f8128ffd2b3c25004b01d9a802808Patch
https://github.com/THM-Health/PILOS/security/advisories/GHSA-pgfw-f4mp-5445MitigationVendor Advisory

FAQ

What is CVE-2025-62523?

CVE-2025-62523 is a vulnerability with a CVSS score of 6.3 (MEDIUM). PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. PILOS before 4.8.0 includes a Cross-Origin Resource Sharing (CORS) misconfiguration in its middleware: it reflect...

How severe is CVE-2025-62523?

CVE-2025-62523 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-62523?

Check the references section above for vendor advisories and patch information. Affected products include: Thm Pilos.