CVE-2024-35374

Name of the Vulnerable Software and Affected Versions Mocodo Mocodo Online versions 4.2.6 and below

Description The issue arises from improper sanitization of the sql case input field in the /web/generate.php endpoint, allowing remote attackers to execute arbitrary SQL commands and potentially command injection, which can lead to remote code execution (RCE) under certain conditions.

Recommendations For versions 4.2.6 and below, consider disabling access to the /web/generate.php endpoint until a proper fix is applied, and ensure that all input fields, especially sql case, are properly sanitized to prevent command injection and RCE.