CVE-2025-10696

OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whether the actor is the owner of that list. A Level 1 staff member can modify the supervision relationship of a third party (the target user), who can then view the tickets of the added 'supervised' users. This breaks the authorization model and filters the content of other users' tickets.This issue affects OpenSupports: 4.11.0.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://fluidattacks.com/advisories/stratovarius	Exploit Vendor Advisory
https://github.com/opensupports/opensupports	Product
https://fluidattacks.com/advisories/stratovarius	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:opensupports:opensupports:4.11.0:*:*:*:*:*:*:*

History

22 Dec 2025, 13:19

Type	Values Removed	Values Added
CPE		cpe:2.3:a:opensupports:opensupports:4.11.0:::::::*
First Time		Opensupports Opensupports opensupports
References	~~() https://fluidattacks.com/advisories/stratovarius -~~	() https://fluidattacks.com/advisories/stratovarius - Exploit, Vendor Advisory
References	~~() https://github.com/opensupports/opensupports -~~	() https://github.com/opensupports/opensupports - Product
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4

06 Oct 2025, 15:16

Type	Values Removed	Values Added
References	~~() https://fluidattacks.com/advisories/stratovarius -~~	() https://fluidattacks.com/advisories/stratovarius -

03 Oct 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-10-03 21:15

Updated : 2025-12-22 13:19

NVD link : CVE-2025-10696

Mitre link : CVE-2025-10696

CVE.ORG link : CVE-2025-10696

JSON object : View

Products Affected

opensupports

opensupports

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2025-10696", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "help@fluidattacks.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-10-03T21:15:33.503", "references": [{"url": "https://fluidattacks.com/advisories/stratovarius", "tags": ["Exploit", "Vendor Advisory"], "source": "help@fluidattacks.com"}, {"url": "https://github.com/opensupports/opensupports", "tags": ["Product"], "source": "help@fluidattacks.com"}, {"url": "https://fluidattacks.com/advisories/stratovarius", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "help@fluidattacks.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whether the actor is the owner of that list. A Level 1 staff member can modify the supervision relationship of a third party (the target user), who can then view the tickets of the added 'supervised' users. This breaks the authorization model and filters the content of other users' tickets.This issue affects OpenSupports: 4.11.0."}], "lastModified": "2025-12-22T13:19:27.750", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:opensupports:opensupports:4.11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "79B3C4CE-1AEE-44B6-BDEC-726B28A99A89"}], "operator": "OR"}]}], "sourceIdentifier": "help@fluidattacks.com"}