CVE-2025-70141

CRITICAL

9.4

Descricao

SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in ajax.php. The AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in admin_class.php based on the action parameter. An unauthenticated remote attacker can perform sensitive operations such as creating customers and deleting users (including the admin account), as well as modifying or deleting other application records (tickets, departments, comments), resulting in unauthorized data modification.

Detalhes CVE

Pontuacao CVSS v3.19.4

SeveridadeCRITICAL

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosNONE

Interacao do usuarioNONE

Publicado2/18/2026

Ultima modificacao2/23/2026

Fontenvd

Avistamentos honeypot0

Produtos afetados

oretnom23:customer_support_system

Fraquezas (CWE)

CWE-306CWE-862

Referencias

https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code(cve@mitre.org)

https://youngkevinn.github.io/posts/CVE-2025-70141-Customer-Support-BAC/(cve@mitre.org)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.