CVE-2025-10692 | THREATINT

Description

The endpoint POST /api/staff/get-new-tickets concatenates the user-controlled parameter departmentId directly into the SQL WHERE clause without parameter binding. As a result, an authenticated staff user (level ≥ 1) can inject SQL to alter the filter logic, effectively bypassing department scoping and disclosing tickets beyond their intended access.This issue affects OpenSupports: 4.11.0.

PUBLISHED Reserved 2025-09-18 | Published 2025-10-03 | Updated 2025-10-03 | Assigner Fluid Attacks

HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status

unaffected

4.11.0

affected

References

fluidattacks.com/advisories/tito third-party-advisory

github.com/opensupports/opensupports product

cve.org (CVE-2025-10692)

nvd.nist.gov (CVE-2025-10692)

Download JSON