Vulnerability Details CVE-2024-35374
Mocodo Mocodo Online 4.2.6 and below does not properly sanitize the sql_case input field in /web/generate.php, allowing remote attackers to execute arbitrary commands and potentially command injection, leading to remote code execution (RCE) under certain conditions.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.047
EPSS Ranking 88.9%
CVSS Severity
CVSS v3 Score 9.8
References
- https://chocapikk.com/posts/2024/mocodo-vulnerabilities/
- https://github.com/laowantong/mocodo/blob/11ca879060a68e06844058cd969c6379214cc2a8/web/generate.php#L104-L158
- https://chocapikk.com/posts/2024/mocodo-vulnerabilities/
- https://github.com/laowantong/mocodo/blob/11ca879060a68e06844058cd969c6379214cc2a8/web/generate.php#L104-L158
Products affected by CVE-2024-35374
-
cpe:2.3:a:mocodo:mocodo_online:*