CVE 9.4 CRITICAL

CVE-2025-70141_CVE-2025-70141

February 18, 2026 invoker category_cve

9.4 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Description

SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in ajax.php. The AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in admin_class.php based on the action parameter. An unauthenticated remote attacker can perform sensitive operations such as creating customers and deleting users (including the admin account), as well as modifying or deleting other application records (tickets, departments, comments), resulting in unauthorized data modification.

AI Analysis

Incorrect access control vulnerability in ajax.php allowing unauthenticated remote attackers to perform sensitive operations

Basic Information

ID CVE-2025-70141

Source mitre

Published Feb 18, 2026 at 00:00

Modified Feb 18, 2026 at 18:31

Affected Product

Vendor SourceCodester

Product Customer Support System

Version 1.0

Affected Versions n/a n/a n/a

CWE Classification

CWE-306 CWE-862

AI Assessment

AI Score 9.4 / 10

AI Severity Critical

Vendor SourceCodester

Product Customer Support System

Version 1.0

References

{
    "lastseen": "",
    "description": "SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in ajax.php. The AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in admin_class.php based on the action parameter. An unauthenticated remote attacker can perform sensitive operations such as creating customers and deleting users (including the admin account), as well as modifying or deleting other application records (tickets, departments, comments), resulting in unauthorized data modification.",
    "published": "2026-02-18T00:00:00.000Z",
    "modified": "2026-02-18T18:31:26.903Z",
    "type": "cve",
    "title": "CVE-2025-70141",
    "source": "mitre",
    "references": "https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code\nhttps://youngkevinn.github.io/posts/CVE-2025-70141-Customer-Support-BAC/",
    "id": "CVE-2025-70141",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306",
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "n/a n/a n/a",
    "sourceHref": "",
    "cvss": {
        "score": 9.4,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Customer Support System",
    "version": "1.0",
    "vendor": "SourceCodester",
    "ai_description": "Incorrect access control vulnerability in ajax.php allowing unauthenticated remote attackers to perform sensitive operations",
    "ai_severity": "Critical",
    "ai_vendor": "SourceCodester",
    "ai_product": "Customer Support System",
    "ai_version": "1.0",
    "ai_score": 9.4
}

💭 Join the Security Discussion ❌ Cancel Reply