CVE-2025-62781
BaseFortify
Publication date: 2025-10-27
Last updated on: 2025-11-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thm | pilos | to 4.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in PILOS (Platform for Interactive Live-Online Seminars) versions prior to 4.8.0. When a user changes their password while logged in, all other active sessions are terminated except the current one. However, the current session's token is not refreshed and remains valid. If an attacker has previously obtained this session token through another vulnerability, they can continue to access the user's account even after the password change, effectively bypassing the password update.
How can this vulnerability impact me? :
An attacker who has obtained a valid session token can maintain unauthorized access to a user's account even after the user changes their password. This means the attacker can continue to act as the user, potentially accessing sensitive information or performing unauthorized actions despite the password change.
What immediate steps should I take to mitigate this vulnerability?
Upgrade PILOS to version 4.8.0 or later, as this version contains the fix that properly invalidates session tokens after a password change, preventing attackers from maintaining access.