Mocodo Mocodo Online 4.2.6 and below is vulnerable to Remote Code Execution via /web/rewrite.php.
The vulnerability is classified as CWE-75 (improper neutralization of special elements in input data) and affects the rewrite.php file in the application's web component. Inadequate validation or sanitization of input data passed to this endpoint allows for injection and execution of malicious code on the server side. The attack vector is network-based, requiring no special privileges or user interaction.
An attacker can gain full control over the server β including access to sensitive data, the ability to modify files, and disruption of service availability (complete violation of confidentiality, integrity, and availability).
Apply patches available from the manufacturer according to the references. Until the update is applied, it is recommended to restrict access to the /web/rewrite.php endpoint at the firewall or web server level, and avoid publicly exposing the application instance.
Mocodo Online version 4.2.6 and all earlier versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMocodo Online
APPMocodoβ€ 4.2.6