This page lists publicly disclosed CVE vulnerabilities affecting oretnom23 customer_support_system (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-70141 | SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in ajax.php. The AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in admin_class.php based on the action parameter. An unauthenticated remote attacker can perform sensitive operations such as creating customers and deleting users (including the admin account), as well as modifying or deleting other application records (tickets, departments, comments | [email protected] | 9.4 | 0.58% | 2026-02-18 | 2026-02-23 |
| CVE-2025-40729 | Reflected Cross-Site Scripting (XSS) in /customer_support/index.php in Customer Support System v1.0, which allows remote attackers to execute arbitrary code via the page parameter. | [email protected] | 4.8 | 0.24% | 2025-06-16 | 2025-10-09 |
| CVE-2025-40728 | SQL injection vulnerability in Customer Support System v1.0. This vulnerability allows an authenticated attacker to retrieve, create, update and delete databases via the id parameter in the /customer_support/manage_user.php endpoint. | [email protected] | 8.7 | 0.18% | 2025-06-16 | 2025-10-09 |
| CVE-2023-49978 | Incorrect access control in Customer Support System v1 allows non-administrator users to access administrative pages and execute actions reserved for administrators. | [email protected] | 8.8 | 0.51% | 2024-03-21 | 2025-03-05 |
| CVE-2023-51281 | Cross Site Scripting vulnerability in Customer Support System v.1.0 allows a remote attacker to escalate privileges via a crafted script firstname, "lastname", "middlename", "contact" and address parameters. | [email protected] | 5.4 | 0.23% | 2024-03-07 | 2025-03-28 |
| CVE-2023-49977 | A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the address parameter at /customer_support/index.php?page=new_customer. | [email protected] | 5.4 | 0.37% | 2024-03-06 | 2025-03-28 |
| CVE-2023-49976 | A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the subject parameter at /customer_support/index.php?page=new_ticket. | [email protected] | 5.4 | 0.26% | 2024-03-06 | 2025-03-28 |
| CVE-2023-49974 | A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the contact parameter at /customer_support/index.php?page=customer_list. | [email protected] | 6.1 | 0.37% | 2024-03-06 | 2025-03-28 |
| CVE-2023-49973 | A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email parameter at /customer_support/index.php?page=customer_list. | [email protected] | 6.1 | 0.41% | 2024-03-06 | 2025-01-15 |
| CVE-2023-49971 | A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter at /customer_support/index.php?page=customer_list. | [email protected] | 6.1 | 0.30% | 2024-03-06 | 2025-01-15 |
| CVE-2023-49970 | Customer Support System v1 was discovered to contain a SQL injection vulnerability via the subject parameter at /customer_support/ajax.php?action=save_ticket. | [email protected] | 9.8 | 0.68% | 2024-03-05 | 2025-03-28 |
| CVE-2023-49969 | Customer Support System v1 was discovered to contain a SQL injection vulnerability via the id parameter at /customer_support/index.php?page=edit_customer. | [email protected] | 4.3 | 0.15% | 2024-03-05 | 2025-03-28 |
| CVE-2023-49968 | Customer Support System v1 was discovered to contain a SQL injection vulnerability via the id parameter at /customer_support/manage_department.php. | [email protected] | 7.3 | 0.12% | 2024-03-05 | 2025-03-28 |
| CVE-2023-49548 | Customer Support System v1 was discovered to contain a SQL injection vulnerability via the lastname parameter at /customer_support/ajax.php?action=save_user. | [email protected] | 8.8 | 0.54% | 2024-03-05 | 2025-03-28 |
| CVE-2023-49547 | Customer Support System v1 was discovered to contain a SQL injection vulnerability via the username parameter at /customer_support/ajax.php?action=login. | [email protected] | 9.8 | 7.34% | 2024-03-05 | 2025-03-28 |
| CVE-2023-49546 | Customer Support System v1 was discovered to contain a SQL injection vulnerability via the email parameter at /customer_support/ajax.php. | [email protected] | 8.8 | 0.51% | 2024-03-05 | 2025-03-28 |
| CVE-2023-49545 | A directory listing vulnerability in Customer Support System v1 allows attackers to list directories and sensitive files within the application without requiring authorization. | [email protected] | 7.5 | 0.30% | 2024-03-01 | 2025-03-28 |
| CVE-2023-49544 | A local file inclusion (LFI) in Customer Support System v1 allows attackers to include internal PHP files and gain unauthorized acces via manipulation of the page= parameter at /customer_support/index.php. | [email protected] | 4.9 | 0.99% | 2024-03-01 | 2025-03-28 |
| CVE-2023-50070 | Sourcecodester Customer Support System 1.0 has multiple SQL injection vulnerabilities in /customer_support/ajax.php?action=save_ticket via department_id, customer_id, and subject. | [email protected] | 8.8 | 0.24% | 2023-12-29 | 2024-11-21 |