Skip to main content

Call Recording Software

10 CVEs product

Monthly

CVE-2026-15474 LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 enables remote authenticated attackers to access call recordings they are not permitted to view by manipulating the `callId` parameter in the `/callrec/audio.jsp` endpoint. The flaw follows a classic Insecure Direct Object Reference (IDOR) pattern under CWE-285, where the application fails to enforce per-user ownership checks on recording identifiers. A public exploit has been released and no vendor patch exists - the vendor did not respond to responsible disclosure - making compensating controls the only available mitigation at this time.

Authentication Bypass Call Recording Software
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15473 LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to perform unauthorized operations on the Recorded Calls Page via the `/callrec/restoreCallAction.do` endpoint, potentially accessing or restoring call recordings outside their permitted scope. The vulnerability stems from CWE-285 (Improper Authorization), meaning the application fails to enforce access controls on the restore call action, permitting privilege escalation within the recording management interface. A publicly available proof-of-concept exploit exists per the CVSS 4.0 E:P supplemental metric; no patch has been confirmed by the vendor, who did not respond to disclosure attempts.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15472 LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to bypass access controls on the /callrec/composeEmailAction.do endpoint, exposing limited confidential data. The flaw (CWE-285) means the application fails to enforce authorization decisions for at least one action reachable by low-privileged authenticated users. A publicly available proof-of-concept exploit has been disclosed via VulDB, and no vendor patch exists - the vendor did not respond to the coordinated disclosure. No public exploit identified at time of analysis as actively exploited (not in CISA KEV), though exploit code exists.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15471 LOW POC Monitor

Improper authorization on the /callrec/pci_dss_status.jsp endpoint in Eleveo Call Recording Software 9.7.0 allows authenticated low-privilege users to access PCI DSS compliance status data they are not authorized to view. The exposed information reveals the payment card compliance posture of the organization, which could be leveraged to identify exploitable compliance gaps and inform targeted attacks against payment infrastructure. A public proof-of-concept exploit exists; the vendor did not respond to responsible disclosure, leaving no official patch or advisory available.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15470 LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to access the /callrec/group.jsp endpoint without proper permission checks, resulting in unauthorized read access to call recording group data. A publicly available exploit has been disclosed via Google Drive; the vendor was notified but did not respond, meaning no official patch exists at time of analysis. No public exploit identified at time of analysis is superseded here - a public POC exists (E:P in the CVSS 4.0 vector), though this is not confirmed actively exploited (CISA KEV) and the CVSS 4.0 score of 2.1 reflects limited scope impact.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15377 LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 exposes the /callrec/sendlogfile endpoint to low-privileged authenticated remote attackers, enabling unauthorized access to log file functionality with confirmed confidentiality impact. The flaw (CWE-285) stems from missing or bypassable authorization checks on a sensitive operational endpoint within the call recording platform. A publicly available proof-of-concept exploit exists, and the vendor failed to respond to coordinated disclosure - no patch has been released.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15376 LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote authenticated users to access the /callrec/statisticReportAction.do endpoint beyond their privilege level, enabling unauthorized read, write, and availability impact on sensitive call statistics and reporting data. The vendor was notified but did not respond, leaving version 9.7.0 unpatched. A proof-of-concept exploit is publicly available, raising immediate risk for any organization running this version of the software.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15375 LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows low-privileged authenticated remote users to bypass access controls on the LDAP User Interface endpoint `/callrec/users_ldap.jsp`, exposing restricted LDAP directory user data without appropriate privilege verification. A public proof-of-concept exploit has been disclosed via Google Drive and the vendor has not responded to responsible disclosure, leaving no official patch or advisory available. The CVSS 4.0 base score of 2.1 reflects narrow confidentiality-only impact, but POC availability and vendor silence increase practical urgency for affected deployments.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15374 LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote authenticated low-privileged users to manipulate the role and group management endpoint (/callrec/roleAddAction.do), bypassing access controls without proper privilege checks. A publicly available exploit exists for this flaw, raising practical risk despite the relatively low CVSS 4.0 score of 2.1 (inflated downward by the E:P threat metric). The vendor was unresponsive to coordinated disclosure, meaning no official patch or acknowledgment exists at time of analysis.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15373 LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote low-privileged users to manipulate the 'role' parameter in the /callrec/userAddAction.do endpoint, potentially enabling unauthorized role assignment during user creation. The vulnerability carries a CVSS 4.0 score of 2.1 with low-impact metrics across confidentiality, integrity, and availability, though the real-world risk of privilege escalation through role manipulation may be underrepresented by that score. A proof-of-concept exploit is publicly available; no vendor patch exists as the vendor did not respond to responsible disclosure.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 enables remote authenticated attackers to access call recordings they are not permitted to view by manipulating the `callId` parameter in the `/callrec/audio.jsp` endpoint. The flaw follows a classic Insecure Direct Object Reference (IDOR) pattern under CWE-285, where the application fails to enforce per-user ownership checks on recording identifiers. A public exploit has been released and no vendor patch exists - the vendor did not respond to responsible disclosure - making compensating controls the only available mitigation at this time.

Authentication Bypass Call Recording Software
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to perform unauthorized operations on the Recorded Calls Page via the `/callrec/restoreCallAction.do` endpoint, potentially accessing or restoring call recordings outside their permitted scope. The vulnerability stems from CWE-285 (Improper Authorization), meaning the application fails to enforce access controls on the restore call action, permitting privilege escalation within the recording management interface. A publicly available proof-of-concept exploit exists per the CVSS 4.0 E:P supplemental metric; no patch has been confirmed by the vendor, who did not respond to disclosure attempts.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to bypass access controls on the /callrec/composeEmailAction.do endpoint, exposing limited confidential data. The flaw (CWE-285) means the application fails to enforce authorization decisions for at least one action reachable by low-privileged authenticated users. A publicly available proof-of-concept exploit has been disclosed via VulDB, and no vendor patch exists - the vendor did not respond to the coordinated disclosure. No public exploit identified at time of analysis as actively exploited (not in CISA KEV), though exploit code exists.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization on the /callrec/pci_dss_status.jsp endpoint in Eleveo Call Recording Software 9.7.0 allows authenticated low-privilege users to access PCI DSS compliance status data they are not authorized to view. The exposed information reveals the payment card compliance posture of the organization, which could be leveraged to identify exploitable compliance gaps and inform targeted attacks against payment infrastructure. A public proof-of-concept exploit exists; the vendor did not respond to responsible disclosure, leaving no official patch or advisory available.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to access the /callrec/group.jsp endpoint without proper permission checks, resulting in unauthorized read access to call recording group data. A publicly available exploit has been disclosed via Google Drive; the vendor was notified but did not respond, meaning no official patch exists at time of analysis. No public exploit identified at time of analysis is superseded here - a public POC exists (E:P in the CVSS 4.0 vector), though this is not confirmed actively exploited (CISA KEV) and the CVSS 4.0 score of 2.1 reflects limited scope impact.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 exposes the /callrec/sendlogfile endpoint to low-privileged authenticated remote attackers, enabling unauthorized access to log file functionality with confirmed confidentiality impact. The flaw (CWE-285) stems from missing or bypassable authorization checks on a sensitive operational endpoint within the call recording platform. A publicly available proof-of-concept exploit exists, and the vendor failed to respond to coordinated disclosure - no patch has been released.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote authenticated users to access the /callrec/statisticReportAction.do endpoint beyond their privilege level, enabling unauthorized read, write, and availability impact on sensitive call statistics and reporting data. The vendor was notified but did not respond, leaving version 9.7.0 unpatched. A proof-of-concept exploit is publicly available, raising immediate risk for any organization running this version of the software.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows low-privileged authenticated remote users to bypass access controls on the LDAP User Interface endpoint `/callrec/users_ldap.jsp`, exposing restricted LDAP directory user data without appropriate privilege verification. A public proof-of-concept exploit has been disclosed via Google Drive and the vendor has not responded to responsible disclosure, leaving no official patch or advisory available. The CVSS 4.0 base score of 2.1 reflects narrow confidentiality-only impact, but POC availability and vendor silence increase practical urgency for affected deployments.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote authenticated low-privileged users to manipulate the role and group management endpoint (/callrec/roleAddAction.do), bypassing access controls without proper privilege checks. A publicly available exploit exists for this flaw, raising practical risk despite the relatively low CVSS 4.0 score of 2.1 (inflated downward by the E:P threat metric). The vendor was unresponsive to coordinated disclosure, meaning no official patch or acknowledgment exists at time of analysis.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote low-privileged users to manipulate the 'role' parameter in the /callrec/userAddAction.do endpoint, potentially enabling unauthorized role assignment during user creation. The vulnerability carries a CVSS 4.0 score of 2.1 with low-impact metrics across confidentiality, integrity, and availability, though the real-world risk of privilege escalation through role manipulation may be underrepresented by that score. A proof-of-concept exploit is publicly available; no vendor patch exists as the vendor did not respond to responsible disclosure.

Authentication Bypass Call Recording Software
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy