CVE-2024-35374

CRITICAL LAB

Mocodo Online < 4.2.6 - Command Injection

Title source: rule

Description

Mocodo Mocodo Online 4.2.6 and below does not properly sanitize the sql_case input field in /web/generate.php, allowing remote attackers to execute arbitrary commands and potentially command injection, leading to remote code execution (RCE) under certain conditions.

Exploits (1)

nomisec WORKING POC 1 stars

by Rikoot · poc

https://github.com/Rikoot/CVE-2024-35374

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] https://chocapikk.com/posts/2024/mocodo-vulnerabilities/

[Product] https://github.com/laowantong/mocodo/blob/11ca879060a68e06844058cd969c6379214cc2a8/web/generate.php#L104-L158

Scores

CVSS v3 9.8

EPSS 0.0837

EPSS Percentile 92.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull trafex/php-nginx:latest

https://github.com/Rikoot/CVE-2024-35374

View in Library

Details

CWE

CWE-77

Status published

Products (2)

mocodo/mocodo_online < 4.2.6

pypi/mocodo 0 - 4.2.7PyPI

Published May 24, 2024

Tracked Since Feb 18, 2026