Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable endpoint requires low-privilege authentication; disclosure is read-only PCI status with no integrity or availability impact and no scope change.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was found in Eleveo Call Recording Software 9.7.0. This affects an unknown part of the file /callrec/pci_dss_status.jsp. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Improper authorization on the /callrec/pci_dss_status.jsp endpoint in Eleveo Call Recording Software 9.7.0 allows authenticated low-privilege users to access PCI DSS compliance status data they are not authorized to view. The exposed information reveals the payment card compliance posture of the organization, which could be leveraged to identify exploitable compliance gaps and inform targeted attacks against payment infrastructure. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold at least a low-privilege authenticated account on the Eleveo Call Recording Software 9.7.0 instance - the CVSS 4.0 PR:L metric confirms authentication is required and unauthenticated exploitation is not indicated. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.3 (Medium) accurately reflects the constrained impact: confidentiality is limited (VC:L), integrity and availability are unaffected. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A call center agent or other low-privilege user authenticates to the Eleveo web interface and sends an HTTP GET request directly to /callrec/pci_dss_status.jsp. The server processes the request without validating whether the user's role is authorized to view compliance data and returns the PCI DSS status page. … |
| Remediation | No vendor-released patch has been identified at time of analysis - the vendor did not respond to disclosure outreach and no official fix or advisory is available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Call Recording Software
View allImproper authorization in Eleveo Call Recording Software 9.7.0 allows remote authenticated users to access the /callrec/
Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote authenticated low-privileged users to manip
Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote low-privileged users to manipulate the 'rol
Improper authorization in Eleveo Call Recording Software 9.7.0 exposes the /callrec/sendlogfile endpoint to low-privileg
Improper authorization in Eleveo Call Recording Software 9.7.0 enables remote authenticated attackers to access call rec
Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to bypass access co
Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to access the /call
Improper authorization in Eleveo Call Recording Software 9.7.0 allows low-privileged authenticated remote users to bypas
Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to perform unauthor
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43193
GHSA-q5mf-944j-vgq2