CVE-2025-62523
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-62523
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-62523.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-62523
- Aliases
-
- GHSA-pgfw-f4mp-5445
- Published
- 2025-10-27T20:10:51.351Z
- Modified
- 2025-12-02T20:17:13.621767Z
- Severity
-
- 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- PILOS Misconfigured the Access-Control-Allow-Origin Header
- Details
-
PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. PILOS before 4.8.0 includes a Cross-Origin Resource Sharing (CORS) misconfiguration in its middleware: it reflects the Origin request header back in the Access-Control-Allow-Origin response header without proper validation or a whitelist, while Access-Control-Allow-Credentials is set to true. This behavior could allow a malicious website on a different origin to send requests (including credentials) to the PILOS API. This may enable exfiltration or actions using the victim’s credentials if the server accepts those cross-origin requests as authenticated. Laravel’s session handling applies additional origin checks such that cross-origin requests are not authenticated by default. Because of these session-origin protections, and in the absence of any other unknown vulnerabilities that would bypass Laravel’s origin/session checks, this reflected-Origin CORS misconfiguration is not believed to be exploitable in typical PILOS deployments. This vulnerability has been patched in PILOS in v4.8.0
- Database specific
{ "cwe_ids": [ "CWE-942" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62523.json", "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/thm-health/pilos
Affected ranges
- Type
- GIT
- Repo
- https://github.com/thm-health/pilos
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed