Primary

Context

PILOS Password Change Vulnerability Allows Session Hijacking

Vulnerability

Patched

A vulnerability in PILOS, a frontend for BigBlueButton, prior to version 4.8.0, allows users with a local account to change their password while logged in. When a password is changed, all active sessions are terminated except for the current one. However, the session token remains valid and is not refreshed. This creates an opportunity for an attacker who has previously obtained the session token to maintain access as the user, even after the password has been changed.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can continue to act as the user after the user has changed their password.

Remediation

Users can upgrade to PILOS version 4.8.0 or later to address this vulnerability.

Added: Oct 27, 2025, 10:18 PM

Updated: Oct 27, 2025, 10:18 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

3.3

remediation

7.7

relevance

0.8

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

3.3

remediation

7.7

relevance

0.8

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PILOS Password Change Vulnerability Allows Session Hijacking

Vulnerability

Impact

Remediation

Affected Products

THM-Health PILOS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating