CVE-2025-10692

Vulnerability

Overview

The endpoint POST /api/staff/get-new-tickets in OpenSupports 4.11.0 is vulnerable to SQL injection. The user-controlled parameter departmentId is concatenated directly into the SQL WHERE clause without parameter binding [2]. This allows an authenticated staff user (level ≥ 1) to inject SQL statements that alter the filter logic.

Exploitation

An attacker must be authenticated as a staff user with level 1 or higher. By sending a crafted departmentId parameter containing SQL tautologies (e.g., 1 OR 1=1), the attacker can bypass the intended department scoping [2]. The injection occurs in the backend file server/controllers/staff/get-new-tickets.php, which lacks the secure parameterized query pattern used elsewhere in the application [2].

Impact

Successful exploitation enables a low-privileged staff user to list "new tickets" across all departments, gaining unauthorized access to ticket titles, content excerpts, and metadata [2]. This constitutes a confidentiality breach and an escalation of scope beyond the user's authorized department filter.

Mitigation

As of the advisory publication, no patch is available for this vulnerability [2]. The vendor recommends applying input validation and using parameterized queries to prevent SQL injection. The vulnerability has been assigned CVE-2025-10692 and was discovered by Cristian Vargas from Fluid Attacks' Offensive Team [2].