CVE-2025-10696

Exploit

EPSS 0.03%
Veröffentlicht 03.10.2025 20:35:41
Zuletzt bearbeitet 22.12.2025 13:19:27
Quelle help@fluidattacks.com
CVE-Watchlists
Login
Unerledigt
Login

OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whether the actor is the owner of that list. A Level 1 staff member can modify the supervision relationship of a third party (the target user), who can then view the tickets of the added 'supervised' users. This breaks the authorization model and filters the content of other users' tickets.This issue affects OpenSupports: 4.11.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Opensupports ≫ Opensupports Version4.11.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.092

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
help@fluidattacks.com	7.1	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/opensupports/opensupports

Product

https://fluidattacks.com/advisories/stratovarius

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-10696

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-10696

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-10696

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-10696