← Voltar para CVEs

CVE-2025-66910

MEDIUM

6.0

Descricao

Turms Server v0.10.0-SNAPSHOT and earlier contains a plaintext password storage vulnerability in the administrator authentication system. The BaseAdminService class caches administrator passwords in plaintext within AdminInfo objects to optimize authentication performance. Upon successful login, raw passwords are stored unencrypted in memory in the rawPassword field. Attackers with local system access can extract these passwords through memory dumps, heap analysis, or debugger attachment, bypassing bcrypt protection.

Detalhes CVE

Pontuacao CVSS v3.16.0

SeveridadeMEDIUM

Vetor CVSSCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Vetor de ataqueLOCAL

ComplexidadeLOW

Privilegios necessariosHIGH

Interacao do usuarioNONE

Publicado12/19/2025

Ultima modificacao1/2/2026

Fontenvd

Avistamentos honeypot0

Produtos afetados

turms-im:turms

Fraquezas (CWE)

CWE-256CWE-532

Referencias

https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66910_report.md(cve@mitre.org)

https://github.com/turms-im/turms(cve@mitre.org)

https://github.com/turms-im/turms/blob/develop/turms-server-common/src/main/java/im/turms/server/common/domain/admin/bo/AdminInfo.java#L34(cve@mitre.org)

https://github.com/turms-im/turms/blob/develop/turms-server-common/src/main/java/im/turms/server/common/domain/admin/service/BaseAdminService.java#L237(cve@mitre.org)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.