| Title | Eleveo Call Recording 9.7.0 Broken Access Control |
|---|
| Description | Multiple Broken Access Control vulnerabilities in Eleveo Call Recording 9.7.0 allow low-privileged authenticated users, including those without “Users and Roles” privilege, to create groups via /callrec/roleAddAction.do endpoint and delete groups via /callrec/roleRemoveAction.do endpoint. The backend does not properly enforce role-based access control, allowing unauthorized creation and deletion of groups.
Impact
- Unauthorized group creation may allow attackers to create groups with full system privileges, which can be leveraged to escalate access or manipulate system configurations.
- Chained attacks with Cross-Site Scripting: Groups created by low-privilege users can contain malicious JavaScript in their names, potentially allowing account takeover when other users access the group interface.
- Unauthorized group deletion can disrupt business processes and remove critical access controls.
PoC
Comprehensive reproduction steps, including supporting screenshots, are available via the shared private link. Public disclosure will occur on GitHub after the responsible disclosure period of approximately 90 days has elapsed.
Note
Contact with the vendor was initiated on March 10, and no response has been received as of the submission date. The provided PoC is accessible via a restricted link and is intended solely for review purposes by anyone possessing the link. I plan to reserve a CVE early, with public disclosure scheduled after 90 days from the initial contact date, at which point the advisory will be published on my GitHub repository. The information shared here is provided exclusively to the VulnDB team to ensure awareness and understanding of the vulnerability details.
|
|---|
| Source | ⚠️ https://drive.google.com/file/d/1GtIZC_PrOJPfQAfjcBckEbf8uDzGjt9B/view?usp=sharing |
|---|
| User | omarelshopky (UID 85487) |
|---|
| Submission | 04/05/2026 21:54 (3 months ago) |
|---|
| Moderation | 07/10/2026 10:47 (3 months later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 377441 [Eleveo Call Recording Software 9.7.0 Group Interface roleAddAction.do improper authorization] |
|---|
| Points | 20 |
|---|