CVE-2025-10696 HIGH

CVE-2025-10696: OpenSupports 4.11.0 — Insecure Direct Object Reference in supervised list

Vendor Opensupports

Product OpenSupports

Weakness CWE-863 · Incorrect authorization

Published October 3, 2025

Last update October 6, 2025

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whether the actor is the owner of that list. A Level 1 staff member can modify the supervision relationship of a third party (the target user), who can then view the tickets of the added 'supervised' users. This breaks the authorization model and filters the content of other users' tickets.This issue affects OpenSupports: 4.11.0.

Key dates

02Disclosure timeline

October 3, 2025 CVE published

October 6, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-10696 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

CVE-2025-10696: OpenSupports 4.11.0 — Insecure Direct Object Reference in supervised list

01Description

02Disclosure timeline

03References

04Related CVE