CVE-2025-70141

CRITICAL

9.4

Descripcion

SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in ajax.php. The AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in admin_class.php based on the action parameter. An unauthenticated remote attacker can perform sensitive operations such as creating customers and deleting users (including the admin account), as well as modifying or deleting other application records (tickets, departments, comments), resulting in unauthorized data modification.

Detalles CVE

Puntuacion CVSS v3.19.4

SeveridadCRITICAL

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioNONE

Publicado2/18/2026

Ultima modificacion2/23/2026

Fuentenvd

Avistamientos honeypot0

Productos afectados

oretnom23:customer_support_system

Debilidades (CWE)

CWE-306CWE-862

Referencias

https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code(cve@mitre.org)

https://youngkevinn.github.io/posts/CVE-2025-70141-Customer-Support-BAC/(cve@mitre.org)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.