Skip to main content

Perfect Support Ticketing CVE-2026-63082

| EUVDEUVD-2026-44946 MEDIUM
Missing Authorization (CWE-862)
2026-07-16 VulnCheck GHSA-f4jp-mv74-fhx2
5.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Agent-level authentication required (PR:L), network-reachable with no scope change; limited confidentiality and integrity impact on ticket assignment data, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 16:17 vuln.today
CVE Published
Jul 16, 2026 - 15:35 cve.org
MEDIUM 5.3

DescriptionCVE.org

Perfect Support Ticketing & Document Management System through 1.7 contains a broken access control vulnerability that allows authenticated attackers with Agent-level privileges to manipulate the Support Agent assignment field of tickets by bypassing intended authorization checks. Attackers can add or remove any user, including Superadmin accounts, from the Support Agent field of any ticket to which they are assigned, circumventing role-based access controls.

AnalysisAI

Broken access control in Perfect Support Ticketing & Document Management System through version 1.7 permits authenticated Agent-level users to manipulate the Support Agent assignment field on tickets beyond their authorized scope, including adding or removing Superadmin accounts. The vulnerability stems from missing server-side authorization checks (CWE-862), allowing role-based access controls to be circumvented entirely by any Agent assigned to a ticket. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as Agent-level user
Delivery
Access an assigned ticket's assignment interface
Exploit
Send crafted request to modify Support Agent field
Execution
Server fails to enforce role-based authorization
Persist
Add or remove Superadmin from ticket assignment
Impact
Achieve unauthorized workflow manipulation

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated account with Agent-level privileges in the Perfect Support Ticketing & Document Management System - unauthenticated access is not sufficient, as CVSS PR:L confirms low-privilege authentication is a prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.3 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N) reflects a moderate-severity, network-accessible vulnerability requiring only low-privilege (Agent-level) authentication with no attack complexity prerequisites. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid Agent-level account, assigned to one or more tickets, crafts a direct API or form request targeting the Support Agent assignment endpoint, omitting or overriding the expected authorization token or role check. Using the publicly available PoC as a reference, the attacker removes a Superadmin from ticket visibility or inserts themselves or a controlled account into sensitive administrative tickets, enabling unauthorized access to privileged ticket content or disrupting support workflows.
Remediation No vendor-released patched version has been identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-63082 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy