Vedo Suite Path Traversal Vulnerability Allowing Arbitrary File Read
Vulnerability
A path traversal vulnerability exists in Vedo Suite version 2024.17, allowing remote authenticated attackers to read arbitrary files from the filesystem. This vulnerability arises from an unsanitized 'file_get_contents()' function call in the '/api_vedo/template' endpoint. The issue has been patched in version 2025.07.
Impact
Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, potentially including application configuration files or other data that could be used to further compromise the application or server.
Reproduction
To reproduce this vulnerability, send a GET request to the '/api_vedo/template' endpoint with a crafted 'html' parameter that includes a path traversal sequence, such as '../../../../../../../etc/passwd'. This will exploit the unsanitized file_get_contents() call and read the specified file.
Remediation
Users are advised to update to Vedo Suite version 2025.07 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.