High severityNVD Advisory· Published Oct 3, 2025· Updated Apr 15, 2026
CVE-2025-10692
CVE-2025-10692
Description
The endpoint POST /api/staff/get-new-tickets concatenates the user-controlled parameter departmentId directly into the SQL WHERE clause without parameter binding. As a result, an authenticated staff user (level ≥ 1) can inject SQL to alter the filter logic, effectively bypassing department scoping and disclosing tickets beyond their intended access.This issue affects OpenSupports: 4.11.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: = 4.11.0
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.