CVE-2025-62524

PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. PILOS before 4.8.0 exposes the PHP version via the X-Powered-By header, enabling attackers to fingerprint the server and assess potential exploits. This information disclosure vulnerability originates from PHP’s base image. Additionally, the PHP version can also be inferred through the PILOS version displayed in the footer and by examining the source code available on GitHub. This information disclosure vulnerability has been patched in PILOS in v4.8.0.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/THM-Health/PILOS/commit/14655bc4f8128ffd2b3c25004b01d9a802808da8	Patch
https://github.com/THM-Health/PILOS/security/advisories/GHSA-q93h-5j6h-j22x	Vendor Advisory Mitigation

Configurations

Configuration 1 (hide)

cpe:2.3:a:thm:pilos:*:*:*:*:*:*:*:*

History

04 Nov 2025, 18:36

Type	Values Removed	Values Added
First Time		Thm pilos Thm
References	~~() https://github.com/THM-Health/PILOS/commit/14655bc4f8128ffd2b3c25004b01d9a802808da8 -~~	() https://github.com/THM-Health/PILOS/commit/14655bc4f8128ffd2b3c25004b01d9a802808da8 - Patch
References	~~() https://github.com/THM-Health/PILOS/security/advisories/GHSA-q93h-5j6h-j22x -~~	() https://github.com/THM-Health/PILOS/security/advisories/GHSA-q93h-5j6h-j22x - Vendor Advisory, Mitigation
CPE		cpe:2.3:a:thm:pilos::::::::

27 Oct 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-10-27 21:15

Updated : 2025-11-04 18:36

NVD link : CVE-2025-62524

Mitre link : CVE-2025-62524

CVE.ORG link : CVE-2025-62524

JSON object : View

Products Affected

thm

pilos

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

{"id": "CVE-2025-62524", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-10-27T21:15:37.930", "references": [{"url": "https://github.com/THM-Health/PILOS/commit/14655bc4f8128ffd2b3c25004b01d9a802808da8", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/THM-Health/PILOS/security/advisories/GHSA-q93h-5j6h-j22x", "tags": ["Vendor Advisory", "Mitigation"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-497"}]}], "descriptions": [{"lang": "en", "value": "PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. PILOS before 4.8.0 exposes the PHP version via the X-Powered-By header, enabling attackers to fingerprint the server and assess potential exploits. This information disclosure vulnerability originates from PHP\u2019s base image. Additionally, the PHP version can also be inferred through the PILOS version displayed in the footer and by examining the source code available on GitHub. This information disclosure vulnerability has been patched in PILOS in v4.8.0."}], "lastModified": "2025-11-04T18:36:37.193", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:thm:pilos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "91445D94-4D77-4EFF-A078-6AEF72F6E116", "versionEndExcluding": "4.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}