CVE-2025-62523

Name of the Vulnerable Software and Affected Versions PILOS versions prior to 4.8.0

Description PILOS, a frontend for BigBlueButton, has a Cross-Origin Resource Sharing (CORS) misconfiguration in its middleware. The system reflects the Origin request header in the Access-Control-Allow-Origin response header without validation or a whitelist, while Access-Control-Allow-Credentials is set to true. This could allow a malicious website from a different origin to send requests, potentially including credentials, to the PILOS API. Exploitation may enable the exfiltration of data or actions using the victim’s credentials if the server accepts these cross-origin requests as authenticated. Laravel’s session handling includes origin checks that prevent authentication of cross-origin requests by default, and this misconfiguration is not believed to be exploitable in typical deployments due to these session-origin protections.

Recommendations Update to PILOS version 4.8.0 or later.