By modifying the Content-Type to be blank, during a PUT command, the researcher was able to upload files to the CDN. This has been resolved.
It was possible to write (and overwrite) arbitrary files to the CDN (
vpe.cdn.vimeo.tv ) used for JS scripts delivery on the various in-scope assets using the PUT method with blank or application/octet-stream Content-Type. Any other Content-Type caused auth error from Google Cloud Storage side.
PUT /something.js HTTP/1.1
with XSS payload or overwritesomething.js` if it already exist.
The issue was fixed fast. Thanks to the VHX team for the great experience, awesome communication and the bounty!