CVE-2025-66911

Опубликовано: 19 дек. 2025

Источник: nvd

CVSS3: 6.5

EPSS Низкий

Описание

Turms IM Server v0.10.0-SNAPSHOT and earlier contains a broken access control vulnerability in the user online status query functionality. The handleQueryUserOnlineStatusesRequest() method in UserServiceController.java allows any authenticated user to query the online status, device information, and login timestamps of arbitrary users without proper authorization checks.

Ссылки

https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66911_report.md
Exploit
Third Party Advisory
https://github.com/turms-im/turms
Product
https://github.com/turms-im/turms/blob/develop/turms-service/src/main/java/im/turms/service/domain/user/access/servicerequest/controller/UserServiceController.java#L239
Product
https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66911_report.md
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:turms-im:turms:0.10.0-snapshot:*:*:*:*:*:*:*

EPSS

Процентиль: 10%

0.00035

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-284

Связанные уязвимости

GHSA-9r66-8r5r-2mqr