CVE-2024-35374

Advisory

Affected versions of Mocodo are vulnerable to OS Command Injection. This vulnerability could result in remote code execution, potentially leading to unauthorized access to sensitive data or complete system compromise. The attack vector involves manipulating input fields in the web interface, particularly in generate.php and rewrite.php. Vulnerable areas include the construction of $basthon_options in generate.php and $command_line in rewrite.php. The vulnerability is exploitable by an attacker with access to the web interface. To remediate, update to Mocodo version 4.2.7 or later, which properly escapes user input using escapeshellarg(). This vulnerability primarily affects PHP-based deployments of Mocodo's online interface. The CWE classification is CWE-78: Improper Neutralization of Special Elements used in an OS Command.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/advisories/GHSA-j6cv-98jx-mrwr
• https://github.com/laowantong/mocodo/commit/f9368df28518b6c4a92fd207c260f1978ec34d6e
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35374