PT-2025-32220 · Unknown · Vedo Suite
Davide Reggiani
+1
·
Published
2025-08-06
·
Updated
2025-08-07
·
CVE-2025-51056
CVSS v3.1
8.2
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Vedo Suite version 2024.17
Description
An unrestricted file upload issue exists in Vedo Suite version 2024.17. Remote authenticated attackers can write to arbitrary filesystem paths by exploiting the insecure
uploadPreviews() custom function in /api vedo/colorways preview, potentially leading to remote code execution (RCE).Recommendations
As a temporary workaround, consider restricting access to the
/api vedo/colorways preview API endpoint until a patch is available.
Review and modify the uploadPreviews() function to implement proper file upload restrictions and sanitization.Exploit
Fix
RCE
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vedo Suite