提交 #797459: Eleveo Call Recording 9.7.0 Broken Access Control信息

标题Eleveo Call Recording 9.7.0 Broken Access Control
描述A Broken Access Control vulnerability exists in /callrec/users_ldap.jsp endpoint of Eleveo Call Recording 9.7.0 which allows low-privileged authenticated users, including those without “Users and Roles” privilege, to retrieve a list of directory users. The backend does not properly enforce role-based access control, allowing unauthorized users to access directory information that should be restricted to administrative users. Retrieved details include usernames, email addresses, first names, and last names. Impact - Disclosure of sensitive directory information including usernames, email addresses, and full names. - Facilitation of targeted attacks such as phishing, social engineering, or brute-force login attempts using harvested user information. PoC Comprehensive reproduction steps, including supporting screenshots, are available via the shared private link. Public disclosure will occur on GitHub after the responsible disclosure period of approximately 90 days has elapsed. Note Contact with the vendor was initiated on March 10, and no response has been received as of the submission date. The provided PoC is accessible via a restricted link and is intended solely for review purposes by anyone possessing the link. I plan to reserve a CVE early, with public disclosure scheduled after 90 days from the initial contact date, at which point the advisory will be published on my GitHub repository. The information shared here is provided exclusively to the VulnDB team to ensure awareness and understanding of the vulnerability details.
来源⚠️ https://drive.google.com/file/d/14q47WM7nqXuUJbN-3xTXzCIbMUwD1kL8/view?usp=sharing
用户
 omarelshopky (UID 85487)
提交2026-04-05 21時57分 (3 月前)
管理2026-07-10 10時47分 (3 months later)
状态已接受
VulDB条目377442 [Eleveo Call Recording Software 9.7.0 LDAP User Interface /callrec/users_ldap.jsp 权限提升]
积分20

Want to know what is going to be exploited?

We predict KEV entries!