CVE-2025-62524

Published: Oct 27, 2025Modified: Nov 4, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. PILOS before 4.8.0 exposes the PHP version via the X-Powered-By header, enabling attackers to fingerprint the server and assess potential exploits. This information disclosure vulnerability originates from PHP’s base image. Additionally, the PHP version can also be inferred through the PILOS version displayed in the footer and by examining the source code available on GitHub. This information disclosure vulnerability has been patched in PILOS in v4.8.0.

Affected (1)

Products: Thm: Pilos

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Thm Pilos	Before 4.8.0

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Exposure of Sensitive System Information to an Unauthorized Control Sphere

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

References (2)

https://github.com/THM-Health/PILOS/commit/14655bc4f8128ffd2b3c25004b01d9a802808da8

Source: security-advisories@github.com

Patch

https://github.com/THM-Health/PILOS/security/advisories/GHSA-q93h-5j6h-j22x

Source: security-advisories@github.com

MitigationVendor Advisory

Timeline

No history available yet.