CVE-2023-40956
Description
A SQL injection vulnerability in Cloudroits Website Job Search v.15.0 allows a remote authenticated attacker to execute arbitrary code via the name parameter in controllers/main.py component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cloudroits Website Job Search v.15.0 has an authenticated SQL injection in the name parameter, allowing remote code execution via crafted HTTP requests.
Vulnerability
CVE-2023-40956 is a SQL injection vulnerability in the Cloudroits Website Job Search module (technical name: odoo_website_job_search) for Odoo version 15.0. The flaw resides in the controllers/main.py file, specifically within the RecruitmentInherit::search_contents(**kw) method. The name parameter in the /job/search/ route is unsafely incorporated into an SQL query, allowing an attacker to inject arbitrary SQL statements. No special configuration is required beyond having the module installed.
Exploitation
An attacker must be a remote authenticated user of an Odoo instance that has the odoo_website_job_search module installed. The attacker sends an HTTP POST request to the /job/search/ endpoint with a crafted name parameter that contains an SQL injection payload. For example, the PoC in reference [1] demonstrates: "name": "dev'; UPDATE res_users SET password='whatever' WHERE login='admin'; select id as res_id, name as name, name as value from hr_job where name ILIKE 'dev". No user interaction beyond the authenticated session is needed. The database cursor executes the injected query.
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands on the Odoo database, leading to privilege escalation (e.g., changing the admin password) and information disclosure. The attacker can achieve full control over user credentials and sensitive data stored in the database. The scope of compromise is the entire Odoo instance and its data.
Mitigation
A patch has been made available by the module's vendor before the public disclosure of this vulnerability, according to reference [1]. Users should update the odoo_website_job_search module to the latest patched version from the Odoo Apps Store. If no patch has been applied, administrators should disable the module or restrict access to the /job/search/ endpoint until an update is applied. No known KEV listing exists for this CVE.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Cloudroits/Website Job Searchdescription
- Range: =15.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation and lack of prepared statements in the `search_contents` method allows direct SQL injection via the `name` parameter."
Attack vector
A remote attacker sends an HTTP POST request to the `/job/search/` route with a crafted `name` parameter containing SQL injection payloads [ref_id=1]. The affected controller route does not require authentication, so anyone can reach the endpoint [ref_id=1]. Because the database cursor is used directly, no access rights checking is performed, and no input validation or sanitization exists, allowing arbitrary SQL injection [ref_id=1].
Affected code
The vulnerability resides in `controllers/main.py` in the `RecruitmentInherit::search_contents(**kw)` method [ref_id=1]. The `name` parameter is passed directly into a SQL query executed through the database cursor without sanitization or parameterization [ref_id=1].
What the fix does
The advisory states that a patch has been made available by the module's vendor before the repository was made public, but the specific patch content is not included in the bundle [ref_id=1]. The researcher suggests that a possible patch could make use of prepared statements to prevent SQL injection [ref_id=1]. Without the actual patch diff, the exact remediation cannot be detailed further.
Preconditions
- configThe Odoo instance must have the odoo_website_job_search module installed
- authNo authentication is required; the /job/search/ endpoint is publicly accessible
- networkThe attacker must be able to send HTTP POST requests to the target Odoo instance
- inputThe attacker controls the 'name' parameter in the POST body
Reproduction
Send an HTTP POST request to `/job/search/` with a body containing a crafted `name` parameter. Example payload from the advisory: `"name": "dev'; UPDATE res_users SET password='whatever' WHERE login='admin'; select id as res_id, name as name, name as value from hr_job where name ILIKE 'dev"` [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.