CRITICAL🇵🇱 Wersja polska

CVE-2024-35373

CVSS 9.8v3.1pub. 2024-05-24upd. 2025-06-10

Mocodo Mocodo Online 4.2.6 and below is vulnerable to Remote Code Execution via /web/rewrite.php.

🤖 AI Analysis
How it works

The vulnerability is classified as CWE-75 (improper neutralization of special elements in input data) and affects the rewrite.php file in the application's web component. Inadequate validation or sanitization of input data passed to this endpoint allows for injection and execution of malicious code on the server side. The attack vector is network-based, requiring no special privileges or user interaction.

Impact

An attacker can gain full control over the server — including access to sensitive data, the ability to modify files, and disruption of service availability (complete violation of confidentiality, integrity, and availability).

Mitigation & patch

Apply patches available from the manufacturer according to the references. Until the update is applied, it is recommended to restrict access to the /web/rewrite.php endpoint at the firewall or web server level, and avoid publicly exposing the application instance.

Who is affected

Mocodo Online version 4.2.6 and all earlier versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mocodo Online

    APP
    Mocodo
    ≤ 4.2.6
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-35374CRITICAL9.8PL ✓ten sam produkt

Command Injection / RCE w Mocodo Online przez pole sql_case