CVE-2025-66911
BaseFortify
Publication date: 2025-12-19
Last updated on: 2025-12-19
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| turms-im | turms | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a broken access control issue in Turms IM Server v0.10.0-SNAPSHOT and earlier. Specifically, the handleQueryUserOnlineStatusesRequest() method in UserServiceController.java allows any authenticated user to query the online status, device information, and login timestamps of arbitrary users without proper authorization checks.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized access to sensitive user information such as online status, device details, and login timestamps. This could lead to privacy violations, user tracking, and potential misuse of personal data by malicious actors within the system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update or patch the Turms IM Server to a version later than v0.10.0-SNAPSHOT where proper authorization checks are implemented in the handleQueryUserOnlineStatusesRequest() method. Additionally, review and restrict access controls to ensure that only authorized users can query user online status, device information, and login timestamps.