CVE-2025-70141

Name of the Vulnerable Software and Affected Versions SourceCodester Customer Support System version 1.0

Description The application has an access control issue in the ajax.php file. The AJAX dispatcher does not verify authentication or authorization before calling administrative methods within admin class.php using the action parameter. This allows a remote, unauthenticated attacker to perform sensitive actions, including creating customers, deleting users (including the administrator account), and modifying or deleting application data like tickets, departments, and comments, leading to unauthorized data changes. The vulnerable parameter is action.

Recommendations Apply updates to address the access control flaw in ajax.php. Restrict access to admin class.php to authenticated and authorized users only. Implement proper authentication and authorization checks within the AJAX dispatcher before invoking administrative methods.