CVE-2025-62523

MEDIUM

THM Pilos < 4.8.0 - Permissive CORS Policy

Title source: rule

Description

PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. PILOS before 4.8.0 includes a Cross-Origin Resource Sharing (CORS) misconfiguration in its middleware: it reflects the Origin request header back in the Access-Control-Allow-Origin response header without proper validation or a whitelist, while Access-Control-Allow-Credentials is set to true. This behavior could allow a malicious website on a different origin to send requests (including credentials) to the PILOS API. This may enable exfiltration or actions using the victim’s credentials if the server accepts those cross-origin requests as authenticated. Laravel’s session handling applies additional origin checks such that cross-origin requests are not authenticated by default. Because of these session-origin protections, and in the absence of any other unknown vulnerabilities that would bypass Laravel’s origin/session checks, this reflected-Origin CORS misconfiguration is not believed to be exploitable in typical PILOS deployments. This vulnerability has been patched in PILOS in v4.8.0

References (2)

[Mitigation, Vendor Advisory] https://github.com/THM-Health/PILOS/security/advisories/GHSA-pgfw-f4mp-5445

[Patch] https://github.com/THM-Health/PILOS/commit/14655bc4f8128ffd2b3c25004b01d9a802808da8

View Patch ZIP pw:eip

Scores

CVSS v3 6.3

EPSS 0.0004

EPSS Percentile 12.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-942

Status published

Products (1)

thm/pilos < 4.8.0

Published Oct 27, 2025

Tracked Since Feb 18, 2026