Jacopo "Eitur" Augelli - Security Researcher - Exploit Intelligence Platform

CVE-2025-51052 WRITEUP MEDIUM WORKING POC

Vedo Suite <2024.17 - Path Traversal

A path traversal vulnerability in Vedo Suite 2024.17 allows remote authenticated attackers to read arbitrary filesystem files by exploiting an unsanitized 'file_get_contents()' function call in '/api_vedo/template'.

CVSS 6.5

View Code

CVE-2025-51053 WRITEUP MEDIUM WORKING POC

Vedo Suite 2024.17 - Stored Cross-Site Scripting via /api_vedo/ Endpoint

A Cross-site scripting (XSS) vulnerability in /api_vedo/ in Vedo Suite version 2024.17 allows remote attackers to inject arbitrary Javascript or HTML code and potentially trigger code execution in victim's browser.

CVSS 6.1

View Code

CVE-2025-51054 WRITEUP MEDIUM WORKING POC

Vedo Suite 2024.17 - Info Disclosure

Vedo Suite 2024.17 is vulnerable to Incorrect Access Control, which allows remote attackers to obtain a valid high privilege JWT token without prior authentication via sending an empty HTTP POST request to the /autologin/ API endpoint.

CVSS 6.5

View Code

CVE-2025-51055 WRITEUP HIGH WORKING POC

Vedo Suite <2024.17 - Info Disclosure

Insecure Data Storage of credentials has been found in /api_vedo/configuration/config.yml file in Vedo Suite version 2024.17. This file contains clear-text credentials, secret keys, and database information.

CVSS 8.6

View Code

CVE-2025-51056 WRITEUP HIGH WORKING POC

Vedo Suite 2024.17 - Authenticated Unrestricted File Upload and Remote Code Execution via uploadPreviews()

An unrestricted file upload vulnerability in Vedo Suite version 2024.17 allows remote authenticated attackers to write to arbitrary filesystem paths by exploiting the insecure 'uploadPreviews()' custom function in '/api_vedo/colorways_preview', ultimately resulting in remote code execution (RCE).

CVSS 8.2

View Code

CVE-2025-51057 WRITEUP MEDIUM WORKING POC

Vedo Suite 2024.17 - Authenticated Local File Inclusion via /api_vedo/video/preview

A local file inclusion (LFI) vulnerability in Vedo Suite version 2024.17 allows remote authenticated attackers to read arbitrary filesystem files by exploiting an unsanitized 'readfile()' function call in '/api_vedo/video/preview'.

CVSS 6.5

View Code

CVE-2025-51058 WRITEUP MEDIUM WORKING POC

Bottinelli Informatical Vedo Suite 2024.17 - SSRF

Bottinelli Informatical Vedo Suite 2024.17 is vulnerable to Server-side Request Forgery (SSRF) in the /api_vedo/video/preview endpoint, which allows remote authenticated attackers to trigger HTTP requests towards arbitrary remote paths via the "file" URL parameter.

CVSS 6.5

View Code