Primary

Context

Vedo Suite Incorrect Access Control Vulnerability Allowing High Privilege JWT Token Acquisition

Vulnerability

An incorrect access control vulnerability has been identified in Vedo Suite version 2024.17. This vulnerability allows remote attackers to obtain a valid high privilege JSON Web Token (JWT) without prior authentication. The issue arises from the application accepting empty HTTP POST requests to the '/autologin/' API endpoint, which then generates a high privilege token. This vulnerability was patched in version 2025.07.

Impact

Exploitation of this vulnerability allows for unauthorized access to high privilege functionalities or data, by obtaining a high privilege JWT token.

Reproduction

To reproduce this vulnerability, send an empty HTTP POST request to the '/api_vedo/autologin' endpoint. The response will include a high privilege JWT token.

Remediation

Users are advised to update to Vedo Suite version 2025.07 or later.

Added: Aug 6, 2025, 9:34 PM

Updated: Aug 6, 2025, 9:34 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vedo Suite Incorrect Access Control Vulnerability Allowing High Privilege JWT Token Acquisition

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating