Unauthenticated attackers can gain full administrative control over the SourceCodester Customer Support System 1.0, enabling the deletion of the admin account and unauthorized data modification.

The ajax.php dispatcher fails to enforce any authentication or authorization checks before calling methods in admin_class.php. This allows an unauthenticated remote attacker to trigger actions intended only for administrators, such as creating or deleting users, tickets, and departments.

With a CVSS score of 9.4, this vulnerability represents a critical threat to business operations. An attacker can effectively lock out legitimate administrators by deleting their accounts and can destroy or alter customer support records, leading to significant data loss, operational disruption, and reputational damage.

Immediate Action: Update to the latest version of the software or manually implement authentication checks within the ajax.php dispatcher to validate user sessions before processing requests.

Proactive Monitoring: Review database logs for unauthorized deletions or modifications of user accounts and support tickets.

Compensating Controls: Place the application behind a Web Application Firewall (WAF) and restrict access to the ajax.php endpoint to authenticated sessions only using custom rules.

Public Exploit Available: No

The lack of access control on an administrative dispatcher is a fundamental security failure. Immediate remediation is required to protect the integrity of the support system. If a vendor patch is unavailable, developers should immediately wrap the ajax.php logic in a robust authentication check.