
OpenSupports 4.11.0 — Insecure Direct Object Reference in supervised list
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
OpenSupports 4.11.0 — IDOR in supervised list enables cross-user ticket disclosure
Code name
State
Public
Release date
3 oct 2025
Affected product
OpenSupports
Vendor
OpenSupports
Affected version(s)
4.11.0
Vulnerability name
Insecure object reference
Vulnerability type
Remotely exploitable
Yes
CVSS v4.0 vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS v4.0 base score
7.1
Exploit available
Yes
CVE ID(s)
Description
OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whether the actor is the owner of that list. A Level 1 staff member can modify the supervision relationship of a third party (the target user), who can then view the tickets of the added 'supervised' users. This breaks the authorization model and filters the content of other users' tickets.
Vulnerability
Relevant fragments from the backend (server):
Edit list without ownership (server/controllers/user/edit-supervised-list.php):
Secure pattern for comparison (server/controllers/staff/get-tickets.php):
Author filter (server/controllers/ticket/search.php):
Together, these pieces allow a staff_1 to impose external supervisory relationships and the resulting “supervisor” user to list tickets for victims.
PoC
Log in staff2 (level 1) and obtain CSRF:
Create Supervisor (S) and Target (T):
Login Target (T) and create a ticket:
IDOR: staff2 assigns S the “supervised” T:
Log in S and obtain supervised tickets from T:
Evidence of Exploitation
Our security policy
We have reserved the ID CVE-2025-10696 to refer to this issue from now on.
System Information
OpenSupports
Version 4.11.0
Operating System: Any
References
Github Repository: https://github.com/opensupports/opensupports
Security: https://github.com/opensupports/opensupports/security
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Cristian Vargas from Fluid Attacks' Offensive Team.
Timeline
8 sept 2025
Vulnerability discovered
18 sept 2025
Vendor contacted
3 oct 2025
Public disclosure
Does your application use this vulnerable software?
During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.