CRITICALπŸ‡΅πŸ‡± Wersja polska

CVE-2024-35374

CVSS 9.8v3.1pub. 2024-05-24upd. 2025-06-10

Mocodo Mocodo Online 4.2.6 and below does not properly sanitize the sql_case input field in /web/generate.php, allowing remote attackers to execute arbitrary commands and potentially command injection, leading to remote code execution (RCE) under certain conditions.

πŸ€– AI Analysis
How it works

The application does not properly filter user-supplied data in the sql_case field when processing requests to the /web/generate.php file. An attacker can inject malicious system commands (command injection, CWE-77) directly into this field. When certain environmental conditions are met, the injected commands are executed by the server with the privileges of the application process, resulting in full remote code execution (RCE).

Impact

An attacker without any authentication can take control of the server by executing arbitrary code β€” potentially gaining access to data, installing a backdoor, or escalating privileges in the system.

Mitigation & patch

Patches available from the vendor should be applied according to references. It is recommended to update to a version higher than 4.2.6 and restrict public access to the /web/generate.php endpoint until the fix is implemented.

Who is affected

Mocodo Online version 4.2.6 and all earlier versions

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mocodo Online

    APP
    Mocodo
    ≀ 4.2.6
πŸ”΅
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-35373CRITICAL9.8PL βœ“ten sam produkt

RCE w Mocodo Online β€” podatny endpoint rewrite.php

CVE-2024-35374 β€” Mocodo β€” Mocodo Online β€” CRITICAL β€” CVSS 9.8 | CVEbaza.pl