CVE-2025-10696

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-10696
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-10696.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-10696
Published
2025-10-03T21:15:33.503Z
Modified
2026-04-10T05:20:30.681008Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whether the actor is the owner of that list. A Level 1 staff member can modify the supervision relationship of a third party (the target user), who can then view the tickets of the added 'supervised' users. This breaks the authorization model and filters the content of other users' tickets.This issue affects OpenSupports: 4.11.0.

References

Affected packages

Git / github.com/opensupports/opensupports

Affected ranges

Type
GIT
Repo
https://github.com/opensupports/opensupports
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
8b4b73402e3da962dd000a19aec490a2445c0ad3
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.11.0"
        }
    ]
}

Affected versions

v4.*
v4.0b
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.10.0
v4.11.0
v4.2.0
v4.2.1
v4.3.0
v4.3.2
v4.4.0
v4.6.0
v4.6.1
v4.7.0
v4.8.0
v4.9.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-10696.json"