Home

Description

Turms IM Server v0.10.0-SNAPSHOT and earlier contains a broken access control vulnerability in the user online status query functionality. The handleQueryUserOnlineStatusesRequest() method in UserServiceController.java allows any authenticated user to query the online status, device information, and login timestamps of arbitrary users without proper authorization checks.

PUBLISHED Reserved 2025-12-08 | Published 2025-12-19 | Updated 2025-12-19 | Assigner mitre

References

github.com/..._cve_report/blob/main/CVE-2025-66911_report.md exploit

github.com/turms-im/turms

github.com/...erequest/controller/UserServiceController.java

github.com/..._cve_report/blob/main/CVE-2025-66911_report.md

cve.org (CVE-2025-66911)

nvd.nist.gov (CVE-2025-66911)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.