Unrated severityNVD Advisory· Published Oct 3, 2025· Updated Oct 6, 2025

OpenSupports 4.11.0 — Insecure Direct Object Reference in supervised list

CVE-2025-10696

Description

OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whether the actor is the owner of that list. A Level 1 staff member can modify the supervision relationship of a third party (the target user), who can then view the tickets of the added 'supervised' users. This breaks the authorization model and filters the content of other users' tickets.This issue affects OpenSupports: 4.11.0.

Affected products

Opensupports/Opensupportsllm-fuzzy2 versions
=4.11.0+ 1 more
- (no CPE)range: =4.11.0
- (no CPE)range: 4.11.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

fluidattacks.com/advisories/stratovariusmitrethird-party-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000