Safety vulnerability ID: 73341
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Affected versions of Mocodo are vulnerable to OS Command Injection. This vulnerability could lead to remote code execution, allowing attackers to execute arbitrary commands on the server. The attack vector is through unsanitized user input in the web interface, specifically in the generate.php script where the sql_case parameter is used without proper escaping. The vulnerable function is the construction of $transformation_options. This vulnerability is easily exploitable as it requires minimal user interaction. To mitigate this issue, upgrade to Mocodo version 4.2.7 or later, which implements proper input sanitization using escapeshellarg(). This vulnerability affects PHP-based deployments of Mocodo's web interface. The CWE for this vulnerability is CWE-78: Improper Neutralization of Special Elements used in an OS Command.
Latest version: 4.2.12
Modélisation Conceptuelle de Données. Nickel. Ni souris.
This vulnerability has no description
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application