CVE-2025-66911

Medium CVSS: 6.5

Turms IM Server v0.10.0-SNAPSHOT and earlier contains a broken access control vulnerability in the user online status query functionality. The handleQueryUserOnlineStatusesRequest() method in UserServiceController.java allows any authenticated user to query the online status, device information, and login timestamps of arbitrary users without proper authorization checks.

Vendor

Turms-im

Product

Turms

CWE

CWE-284

Yayın Tarihi

2025-12-19 15:15:56

Güncelleme

2026-01-02 19:49:06

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-284 Turms MEDIUM Turms-im 2025

Referanslar

https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66911_report.md https://github.com/turms-im/turms https://github.com/turms-im/turms/blob/develop/turms-service/src/main/java/im/turms/service/domain/user/access/servicerequest/controller/UserServiceController.java#L239 https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66911_report.md

Benzer Kayıtlar

Medium

CVE-2025-66906

Cross Site Request Forgery (CSRF) vulnerability in Turms Admin API thru v0.10.0-SNAPSHOT allows attackers to gain escala…

Medium

CVE-2025-66908

Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an improper file type validation vulnerability in the OCR…

High

CVE-2025-66909

Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an image decompression bomb denial of service vulnerabilit…

Medium

CVE-2025-66910

Turms Server v0.10.0-SNAPSHOT and earlier contains a plaintext password storage vulnerability in the administrator authe…