OpenSupports Insecure Direct Object Reference Vulnerability in Supervised User List Allowing Cross-User Ticket Disclosure

An insecure direct object reference vulnerability has been identified in OpenSupports version 4.11.0. The issue arises because the application exposes an endpoint that allows the editing of 'supervised users' lists for any account, without validating ownership. This flaw enables a Level 1 staff member to alter the supervision status of a third party, referred to as the target user, who can subsequently access tickets of the newly added 'supervised' users. This vulnerability disrupts the authorization model and improperly filters ticket content from other users.

Impact

Exploitation of this vulnerability allows for unauthorized modification of supervision relationships, leading to improper access to tickets of other users.

Reproduction

To reproduce this vulnerability, log in as a Level 1 staff member and obtain a CSRF token. Then, create a supervisor and a target user account. After logging in as the target user, create a ticket. Next, use the staff account to assign the target user as 'supervised' to the supervisor account. Finally, log in as the supervisor and request the supervised tickets, which will include the ticket created by the target user.