PT-2025-40599 · Unknown · Opensupports
Cristian Vargas
·
Published
2025-10-03
·
Updated
2026-02-03
·
CVE-2025-10696
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
OpenSupports version 4.11.0
Description
The software exposes an endpoint that allows modification of the 'supervised users' list for any account without verifying ownership. This allows a Level 1 staff member to alter the supervision relationship of a target user, potentially granting access to view tickets belonging to other users. This circumvents the intended authorization model and compromises data filtering. The affected API endpoint allows unauthorized modification of supervision relationships. The vulnerable parameter is the list of
supervised users.Recommendations
Apply a fix to validate that the actor attempting to modify the 'supervised users' list is the owner of that list.
Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Opensupports