Vedo Suite Unrestricted File Upload Vulnerability Allowing Remote Code Execution
Vulnerability
A vulnerability allowing unrestricted file uploads has been identified in Vedo Suite version 2024.17. This issue, which has been patched in version 2025.07, enables remote authenticated attackers to upload files to arbitrary locations on the filesystem. The vulnerability arises from the insecure 'uploadPreviews()' function in the '/api_vedo/colorways_preview' endpoint. Exploitation of this vulnerability could lead to remote code execution.
Impact
Exploitation of this vulnerability allows for remote code execution on the server where Vedo Suite is installed.
Reproduction
To reproduce this vulnerability, send a POST request to the '/api_vedo/colorways_preview' endpoint. Include the 'dl_file_preview' parameter in the 'job' payload, specifying a filename such as '/tmp/test.jpg'. After uploading the file, the 'api_vedo/video/preview' endpoint can be used to access the uploaded file, executing any contained code if the file is interpreted as a script.
Remediation
Users are advised to update to Vedo Suite version 2025.07 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.