제출 #797458: Eleveo Call Recording 9.7.0 Broken Access Control정보

제목Eleveo Call Recording 9.7.0 Broken Access Control
설명Multiple Broken Access Control vulnerabilities in Eleveo Call Recording 9.7.0 allow low-privileged authenticated users, including those without “Users and Roles” privilege, to create groups via /callrec/roleAddAction.do endpoint and delete groups via /callrec/roleRemoveAction.do endpoint. The backend does not properly enforce role-based access control, allowing unauthorized creation and deletion of groups. Impact - Unauthorized group creation may allow attackers to create groups with full system privileges, which can be leveraged to escalate access or manipulate system configurations. - Chained attacks with Cross-Site Scripting: Groups created by low-privilege users can contain malicious JavaScript in their names, potentially allowing account takeover when other users access the group interface. - Unauthorized group deletion can disrupt business processes and remove critical access controls. PoC Comprehensive reproduction steps, including supporting screenshots, are available via the shared private link. Public disclosure will occur on GitHub after the responsible disclosure period of approximately 90 days has elapsed. Note Contact with the vendor was initiated on March 10, and no response has been received as of the submission date. The provided PoC is accessible via a restricted link and is intended solely for review purposes by anyone possessing the link. I plan to reserve a CVE early, with public disclosure scheduled after 90 days from the initial contact date, at which point the advisory will be published on my GitHub repository. The information shared here is provided exclusively to the VulnDB team to ensure awareness and understanding of the vulnerability details.
원천⚠️ https://drive.google.com/file/d/1GtIZC_PrOJPfQAfjcBckEbf8uDzGjt9B/view?usp=sharing
사용자
 omarelshopky (UID 85487)
제출2026. 04. 05. PM 09:54 (3 개월 ago)
모더레이션2026. 07. 10. AM 10:47 (3 months later)
상태수락
VulDB 항목377441 [Eleveo Call Recording Software 9.7.0 Group Interface roleAddAction.do 권한 상승]
포인트들20

Want to know what is going to be exploited?

We predict KEV entries!