CVE-2024-35374
Published: 24 May 2024
Summary
CVE-2024-35374 is a critical-severity Command Injection (CWE-77) vulnerability in Mocodo Mocodo Online. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Mocodo Mocodo Online versions 4.2.6 and below are affected by a command injection vulnerability tracked as CVE-2024-35374. The flaw stems from insufficient sanitization of the sql_case input field in the /web/generate.php endpoint, which maps to CWE-77 and carries a CVSS 3.1 score of 9.8.
Unauthenticated remote attackers can supply crafted input to the publicly reachable endpoint and achieve arbitrary command execution, resulting in remote code execution under certain runtime conditions.
The referenced technical write-up and source-code links provide no details on official patches or mitigation steps. The associated EPSS score remains flat at 0.0837 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1660
Vulnerability details
Mocodo Mocodo Online 4.2.6 and below does not properly sanitize the sql_case input field in /web/generate.php, allowing remote attackers to execute arbitrary commands and potentially command injection, leading to remote code execution (RCE) under certain conditions.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.