Cyber Resilience

CVE-2024-35374

CriticalPublic PoCRCE

Published: 24 May 2024

Published
24 May 2024
Modified
10 June 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0837 92.5th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-35374 is a critical-severity Command Injection (CWE-77) vulnerability in Mocodo Mocodo Online. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Mocodo Mocodo Online versions 4.2.6 and below are affected by a command injection vulnerability tracked as CVE-2024-35374. The flaw stems from insufficient sanitization of the sql_case input field in the /web/generate.php endpoint, which maps to CWE-77 and carries a CVSS 3.1 score of 9.8.

Unauthenticated remote attackers can supply crafted input to the publicly reachable endpoint and achieve arbitrary command execution, resulting in remote code execution under certain runtime conditions.

The referenced technical write-up and source-code links provide no details on official patches or mitigation steps. The associated EPSS score remains flat at 0.0837 with no observed increase after disclosure.

EU & UK References

Vulnerability details

Mocodo Mocodo Online 4.2.6 and below does not properly sanitize the sql_case input field in /web/generate.php, allowing remote attackers to execute arbitrary commands and potentially command injection, leading to remote code execution (RCE) under certain conditions.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mocodo
mocodo online
≤ 4.2.6

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References