Invia #797466: Eleveo Call Recording 9.7.0 Broken Access Controlinformazioni

TitoloEleveo Call Recording 9.7.0 Broken Access Control
DescrizioneA Broken Access Control vulnerability exists in /callrec/restoreCallAction.do endpoint of Eleveo Call Recording 9.7.0, which allows low-privileged authenticated users to bypass administrator-defined access filters and restore call recordings that should not be accessible to them. Although administrators can configure filters to restrict which call recordings a user may access, the backend does not properly enforce these restrictions when processing restore requests. By invoking the affected endpoint, a user can restore recordings that fall outside the scope of their permitted filters, effectively bypassing the intended access controls. Impact Unauthorized restoration of restricted call recordings, allowing users to access recordings that should remain inaccessible according to administrator-defined filters. PoC Comprehensive reproduction steps, including supporting screenshots, are available via the shared private link. Public disclosure will occur on GitHub after the responsible disclosure period of approximately 90 days has elapsed. Note Contact with the vendor was initiated on March 10, and no response has been received as of the submission date. The provided PoC is accessible via a restricted link and is intended solely for review purposes by anyone possessing the link. I plan to reserve a CVE early, with public disclosure scheduled after 90 days from the initial contact date, at which point the advisory will be published on my GitHub repository. The information shared here is provided exclusively to the VulnDB team to ensure awareness and understanding of the vulnerability details.
Fonte⚠️ https://drive.google.com/file/d/1YhkazmU_1YQj9lzvwIBDzA-41fe2eayc/view?usp=sharing
Utente
 omarelshopky (UID 85487)
Sottomissione05/04/2026 22:10 (3 mesi fa)
Moderazione11/07/2026 11:33 (3 months later)
StatoAccettato
Voce VulDB377778 [Eleveo Call Recording Software 9.7.0 Recorded Calls Page restoreCallAction.do escalationi di privilegi]
Punti20

Do you want to use VulDB in your project?

Use the official API to access entries easily!