Mocodo Mocodo Online 4.2.6 and below does not properly sanitize the sql_case input field in /web/generate.php, allowing remote attackers to execute arbitrary commands and potentially command injection, leading to remote code execution (RCE) under certain conditions.
The application does not properly filter user-supplied data in the sql_case field when processing requests to the /web/generate.php file. An attacker can inject malicious system commands (command injection, CWE-77) directly into this field. When certain environmental conditions are met, the injected commands are executed by the server with the privileges of the application process, resulting in full remote code execution (RCE).
An attacker without any authentication can take control of the server by executing arbitrary code — potentially gaining access to data, installing a backdoor, or escalating privileges in the system.
Patches available from the vendor should be applied according to references. It is recommended to update to a version higher than 4.2.6 and restrict public access to the /web/generate.php endpoint until the fix is implemented.
Mocodo Online version 4.2.6 and all earlier versions
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMocodo Online
APPMocodo≤ 4.2.6