CVE-2025-62523
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-27

Last updated on: 2025-11-04

Assigner: GitHub, Inc.

Description
PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. PILOS before 4.8.0 includes a Cross-Origin Resource Sharing (CORS) misconfiguration in its middleware: it reflects the Origin request header back in the Access-Control-Allow-Origin response header without proper validation or a whitelist, while Access-Control-Allow-Credentials is set to true. This behavior could allow a malicious website on a different origin to send requests (including credentials) to the PILOS API. This may enable exfiltration or actions using the victim’s credentials if the server accepts those cross-origin requests as authenticated. Laravel’s session handling applies additional origin checks such that cross-origin requests are not authenticated by default. Because of these session-origin protections, and in the absence of any other unknown vulnerabilities that would bypass Laravel’s origin/session checks, this reflected-Origin CORS misconfiguration is not believed to be exploitable in typical PILOS deployments. This vulnerability has been patched in PILOS in v4.8.0
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-27
Last Modified
2025-11-04
Generated
2026-06-16
AI Q&A
2025-10-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62523
EUVD
EUVD-2025-36363
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
thm pilos to 4.8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-942 The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Origin Resource Sharing (CORS) misconfiguration in PILOS before version 4.8.0. The middleware reflects the Origin request header back in the Access-Control-Allow-Origin response header without proper validation or a whitelist, while Access-Control-Allow-Credentials is set to true. This could allow a malicious website from a different origin to send requests, including credentials, to the PILOS API. However, Laravel's session handling adds origin checks that prevent cross-origin requests from being authenticated by default, so this vulnerability is not believed to be exploitable in typical PILOS deployments. The issue was fixed in version 4.8.0.

Impact Analysis

If exploitable, this vulnerability could allow a malicious website to perform actions or exfiltrate data using the victim's credentials by sending authenticated cross-origin requests to the PILOS API. However, due to Laravel's session-origin protections, such exploitation is unlikely in typical deployments unless other unknown vulnerabilities exist.

Mitigation Strategies

Upgrade PILOS to version 4.8.0 or later, where the CORS misconfiguration vulnerability has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62523. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart