| Título | Eleveo Call Recording 9.7.0 Broken Access Control |
|---|
| Descripción | A Broken Access Control vulnerability exists in /callrec/pci_dss_status.jsp endpoint of Eleveo Call Recording 9.7.0, which allows low-privileged authenticated users, including those without “Other Settings” privilege, to retrieve the PCI compliance status of the system. The backend does not properly enforce role-based access control, allowing unauthorized access to information related to the system’s PCI compliance status. This functionality should be restricted to authorized administrative users.
Impact
Disclosure of PCI compliance status, which may reveal information about the security posture and compliance configuration of the system.
PoC
Comprehensive reproduction steps, including supporting screenshots, are available via the shared private link. Public disclosure will occur on GitHub after the responsible disclosure period of approximately 90 days has elapsed.
Note
Contact with the vendor was initiated on March 10, and no response has been received as of the submission date. The provided PoC is accessible via a restricted link and is intended solely for review purposes by anyone possessing the link. I plan to reserve a CVE early, with public disclosure scheduled after 90 days from the initial contact date, at which point the advisory will be published on my GitHub repository. The information shared here is provided exclusively to the VulnDB team to ensure awareness and understanding of the vulnerability details. |
|---|
| Fuente | ⚠️ https://drive.google.com/file/d/1mXPN23OQiKw9ui9ZUswn0-fOThfZt6xb/view?usp=sharing |
|---|
| Usuario | omarelshopky (UID 85487) |
|---|
| Sumisión | 2026-04-05 22:06 (hace 3 meses) |
|---|
| Moderación | 2026-07-11 11:33 (3 months later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 377776 [Eleveo Call Recording Software 9.7.0 pci_dss_status.jsp escalada de privilegios] |
|---|
| Puntos | 20 |
|---|