CVE-2025-62781— PILOS 代码问题漏洞

PILOS is missing session regeneration after password change

PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.8.0, users with a local account can change their password while logged in. When doing so, all other active sessions are terminated, except for the currently active one. However, the current session’s token remains valid and is not refreshed. If an attacker has previously obtained this session token through another vulnerability, changing the password will not invalidate their access. As a result, the attacker can continue to act as the user even after the password has been changed. This vulnerability is fixed in 4.8.0.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

不充分的会话过期机制

PILOS 代码问题漏洞

PILOS是THM开源的一个前端软件。 PILOS 4.8.0之前版本存在代码问题漏洞，该漏洞源于密码更改后当前会话令牌未失效，可能导致攻击者继续使用已获取的会话令牌维持访问权限。

N/A

N/A