Vedo Suite Local File Inclusion Vulnerability
Vulnerability
A local file inclusion (LFI) vulnerability exists in Vedo Suite version 2024.17, allowing remote authenticated attackers to read arbitrary files from the filesystem. This vulnerability arises from an unsanitized 'readfile()' function call in the '/api_vedo/video/preview' endpoint. The issue has been patched in version 2025.07.
Impact
Exploitation of this vulnerability allows for local file inclusion, where an attacker can read sensitive files from the server's filesystem. This could potentially lead to further exploitation, such as disclosing application secrets or sensitive system information.
Reproduction
To reproduce this vulnerability, send a GET request to the '/api_vedo/video/preview' endpoint with the 'file' parameter set to a file path, such as '/etc/passwd'. The response will include the contents of the specified file, demonstrating the local file inclusion.
Remediation
Users are advised to update to Vedo Suite version 2025.07 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.