1. Home
  2. CVE Database
  3. CVE-2025-10692
NONE · 0

CVE-2025-10692

The endpoint POST /api/staff/get-new-tickets concatenates the user-controlled parameter departmentId directly into the SQL WHERE clause without parameter binding. As a result, an authenticated staff u...

Vulnerability Description

The endpoint POST /api/staff/get-new-tickets concatenates the user-controlled parameter departmentId directly into the SQL WHERE clause without parameter binding. As a result, an authenticated staff user (level ≥ 1) can inject SQL to alter the filter logic, effectively bypassing department scoping and disclosing tickets beyond their intended access.This issue affects OpenSupports: 4.11.0.

Related Weaknesses (CWE)

CWE-89

References

FAQ

What is CVE-2025-10692?

CVE-2025-10692 is a documented vulnerability. The endpoint POST /api/staff/get-new-tickets concatenates the user-controlled parameter departmentId directly into the SQL WHERE clause without parameter binding. As a result, an authenticated staff u...

How severe is CVE-2025-10692?

CVSS scoring is not yet available for CVE-2025-10692. Check NVD for updates.

Is there a patch for CVE-2025-10692?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.