CVE-2023-40955
Description
A SQL injection vulnerability in Didotech srl Engineering & Lifecycle Management (aka pdm) v.14.0, v.15.0 and v.16.0 fixed in pdm-14.0.1.0.0, pdm-15.0.1.0.0, and pdm-16.0.1.0.0 allows a remote authenticated attacker to execute arbitrary code via the select parameter in models/base_client.py component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated SQL injection in Didotech pdm (Odoo module) v14-16 allows arbitrary code execution via the select parameter.
Vulnerability
A SQL injection vulnerability exists in the models/base_client.py component of Didotech srl Engineering & Lifecycle Management (pdm) versions 14.0, 15.0, and 16.0 [1]. The pml_config_settings::getQueryRes method passes an attacker-controlled select parameter into an SQL query without proper sanitization, allowing injection of arbitrary SQL statements [1]. The issue was fixed in versions pdm-14.0.1.0.0, pdm-15.0.1.0.0, and pdm-16.0.1.0.0 [1].
Exploitation
An authenticated attacker (portal or internal user) on an Odoo instance with the pdm module installed can trigger the vulnerable getQueryRes method via the External API (XML-RPC) [1]. By passing a crafted select parameter containing an SQL query, the attacker can inject arbitrary SQL into the executed query [1]. No special privileges beyond regular user authentication are required; a portal user without access to Inventory or Manufacturing modules can still successfully exploit this flaw [1].
Impact
Successful exploitation allows a remote authenticated attacker to execute arbitrary SQL commands, leading to privilege escalation and information disclosure [1]. The attacker can bypass intended access controls and read or modify sensitive data from the underlying database. The vendor advisory indicates this can rise to arbitrary code execution [1].
Mitigation
All affected versions should be upgraded to the fixed releases: pdm-14.0.1.0.0, pdm-15.0.1.0.0, or pdm-16.0.1.0.0 [1]. The patch has been made available by the vendor prior to public disclosure [1]. No workarounds are documented; applying the update is the only recommended mitigation.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Didotech srl/Engineering & Lifecycle Managementdescription
- Range: 14.0, 15.0, 16.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `select` parameter of `getQueryRes` allows direct SQL injection into the database cursor query."
Attack vector
A remote authenticated attacker (even a portal user with no special permissions) can call the public `getQueryRes` method on the `plm.config.settings` model via the Odoo External API (XML-RPC) [ref_id=1]. By crafting the `select` parameter to include malicious SQL — for example, appending an UPDATE statement after a benign SELECT — the attacker's injected query is executed directly against the database [ref_id=1]. This enables privilege escalation (e.g., overwriting the admin user's password) and information disclosure [ref_id=1].
Affected code
The vulnerability resides in `models/base_client.py` within the `pml_config_settings::getQueryRes(tmp_file, select)` method [ref_id=1]. The `select` parameter is passed unsanitized into an SQL query executed through the database cursor, allowing injection of arbitrary SQL statements [ref_id=1].
What the fix does
The advisory states that a patch has been made available by the vendor in versions pdm-14.0.1.0.0, pdm-15.0.1.0.0, and pdm-16.0.1.0.0 [ref_id=1]. The recommended remediation is to use prepared statements to safely parameterize the SQL query, or to make the `getQueryRes` method private so it is no longer callable from the External API [ref_id=1]. No patch diff is included in the bundle.
Preconditions
- authAttacker must be an authenticated user (portal or internal) of an Odoo instance with the pdm module installed.
- configThe pdm module must be installed and the `plm.config.settings` model must be accessible via the External API.
- networkAttacker must be able to send XML-RPC requests to the Odoo instance.
Reproduction
The PoC demonstrates calling `models.execute_kw(db, uid, password, 'plm.config.settings', 'getQueryRes', ['plm.config.settings', 'test', "SELECT * FROM res_users) TO '/dev/null'; UPDATE res_users SET password='whatever' WHERE login='admin'; -- "])` via XML-RPC [ref_id=1]. A recorded demo and exploit code are available in the referenced repository [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.