Oretnom23 Customer Support System vulnerabilities
19 known vulnerabilities affecting oretnom23/customer_support_system.
Total CVEs
19
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH7MEDIUM9
Vulnerabilities
Page 1 of 1
CVE-2025-70141P2CRITICALCVSS 9.4v1.02026-02-18
CVE-2025-70141 [CRITICAL] CWE-306 CVE-2025-70141: SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in aja
SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in ajax.php. The AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in admin_class.php based on the action parameter. An unauthenticated remote attacker can perform sensitive operations such as creating
nvd
CVE-2023-49978P3HIGHCVSS 8.8v1.02024-03-21
CVE-2023-49978 [HIGH] CWE-284 CVE-2023-49978: Incorrect access control in Customer Support System v1 allows non-administrator users to access admi
Incorrect access control in Customer Support System v1 allows non-administrator users to access administrative pages and execute actions reserved for administrators.
nvd
CVE-2023-50070P3HIGHCVSS 8.8v1.02023-12-29
CVE-2023-50070 [HIGH] CWE-89 CVE-2023-50070: Sourcecodester Customer Support System 1.0 has multiple SQL injection vulnerabilities in /customer_s
Sourcecodester Customer Support System 1.0 has multiple SQL injection vulnerabilities in /customer_support/ajax.php?action=save_ticket via department_id, customer_id, and subject.
nvd
CVE-2025-40728P3HIGHCVSS 8.8v1.02025-06-16
CVE-2025-40728 [HIGH] CWE-89 CVE-2025-40728: SQL injection vulnerability in Customer Support System v1.0. This vulnerability allows an authentica
SQL injection vulnerability in Customer Support System v1.0. This vulnerability allows an authenticated attacker to retrieve, create, update and delete databases via the id parameter in the /customer_support/manage_user.php endpoint.
nvd
CVE-2023-49976P4MEDIUMCVSS 5.4PoCv1.02024-03-06
CVE-2023-49976 [MEDIUM] CWE-79 CVE-2023-49976: A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the subject parameter at /customer_support/index.php?page=new_ticket.
nvd
CVE-2023-49547P3CRITICALCVSS 9.8v1.02024-03-05
CVE-2023-49547 [CRITICAL] CWE-89 CVE-2023-49547: Customer Support System v1 was discovered to contain a SQL injection vulnerability via the username
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the username parameter at /customer_support/ajax.php?action=login.
nvd
CVE-2023-49970P3CRITICALCVSS 9.8v1.02024-03-05
CVE-2023-49970 [CRITICAL] CWE-89 CVE-2023-49970: Customer Support System v1 was discovered to contain a SQL injection vulnerability via the subject p
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the subject parameter at /customer_support/ajax.php?action=save_ticket.
nvd
CVE-2023-49546P3HIGHCVSS 8.8v1.02024-03-05
CVE-2023-49546 [HIGH] CWE-89 CVE-2023-49546: Customer Support System v1 was discovered to contain a SQL injection vulnerability via the email par
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the email parameter at /customer_support/ajax.php.
nvd
CVE-2023-49548P3HIGHCVSS 8.8v1.02024-03-05
CVE-2023-49548 [HIGH] CWE-89 CVE-2023-49548: Customer Support System v1 was discovered to contain a SQL injection vulnerability via the lastname
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the lastname parameter at /customer_support/ajax.php?action=save_user.
nvd
CVE-2023-49545P3HIGHCVSS 7.5v1.02024-03-01
CVE-2023-49545 [HIGH] CWE-284 CVE-2023-49545: A directory listing vulnerability in Customer Support System v1 allows attackers to list directories
A directory listing vulnerability in Customer Support System v1 allows attackers to list directories and sensitive files within the application without requiring authorization.
nvd
CVE-2023-49968P3HIGHCVSS 7.3v1.02024-03-05
CVE-2023-49968 [HIGH] CWE-89 CVE-2023-49968: Customer Support System v1 was discovered to contain a SQL injection vulnerability via the id parame
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the id parameter at /customer_support/manage_department.php.
nvd
CVE-2023-51281P4MEDIUMCVSS 5.4v1.02024-03-07
CVE-2023-51281 [MEDIUM] CWE-79 CVE-2023-51281: Cross Site Scripting vulnerability in Customer Support System v.1.0 allows a remote attacker to esca
Cross Site Scripting vulnerability in Customer Support System v.1.0 allows a remote attacker to escalate privileges via a crafted script firstname, "lastname", "middlename", "contact" and address parameters.
nvd
CVE-2023-49544P4MEDIUMCVSS 4.9v1.02024-03-01
CVE-2023-49544 [MEDIUM] CWE-89 CVE-2023-49544: A local file inclusion (LFI) in Customer Support System v1 allows attackers to include internal PHP
A local file inclusion (LFI) in Customer Support System v1 allows attackers to include internal PHP files and gain unauthorized acces via manipulation of the page= parameter at /customer_support/index.php.
nvd
CVE-2023-49969P4MEDIUMCVSS 4.3v1.02024-03-05
CVE-2023-49969 [MEDIUM] CWE-89 CVE-2023-49969: Customer Support System v1 was discovered to contain a SQL injection vulnerability via the id parame
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the id parameter at /customer_support/index.php?page=edit_customer.
nvd
CVE-2023-49973P4MEDIUMCVSS 6.1v1.02024-03-06
CVE-2023-49973 [MEDIUM] CWE-79 CVE-2023-49973: A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email parameter at /customer_support/index.php?page=customer_list.
nvd
CVE-2025-40729P4MEDIUMCVSS 6.1v1.02025-06-16
CVE-2025-40729 [MEDIUM] CWE-79 CVE-2025-40729: Reflected Cross-Site Scripting (XSS) in /customer_support/index.php in Customer Support System v1.0,
Reflected Cross-Site Scripting (XSS) in /customer_support/index.php in Customer Support System v1.0, which allows remote attackers to execute arbitrary code via the page parameter.
nvd
CVE-2023-49974P4MEDIUMCVSS 6.1v1.02024-03-06
CVE-2023-49974 [MEDIUM] CWE-79 CVE-2023-49974: A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the contact parameter at /customer_support/index.php?page=customer_list.
nvd
CVE-2023-49971P4MEDIUMCVSS 6.1v1.02024-03-06
CVE-2023-49971 [MEDIUM] CWE-79 CVE-2023-49971: A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter at /customer_support/index.php?page=customer_list.
nvd
CVE-2023-49977P4MEDIUMCVSS 5.4v1.02024-03-06
CVE-2023-49977 [MEDIUM] CWE-79 CVE-2023-49977: A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the address parameter at /customer_support/index.php?page=new_customer.
nvd