CVE-2023-40957
Description
A SQL injection vulnerability in Didotech srl Engineering & Lifecycle Management (aka pdm) v.14.0, v.15.0 and v.16.0 fixed in pdm-14.0.1.0.0, pdm-15.0.1.0.0, and pdm-16.0.1.0.0 allows a remote authenticated attacker to execute arbitrary code via the request parameter in models/base_client.py component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Didotech srl pdm module for Odoo (versions 14.0-16.0) allows remote authenticated attackers to execute arbitrary SQL via the request parameter in models/base_client.py.
Vulnerability
A blind SQL injection vulnerability exists in the Didotech srl Engineering & Lifecycle Management (pdm) module for Odoo, affecting versions v.14.0, v.15.0, and v.16.0. The flaw resides in the models/base_client.py file, specifically in the pml_config_settings::GetUpdateTableData method, which accepts a request parameter. Insufficient sanitization of this parameter allows an attacker to inject arbitrary SQL into the existing query [1]. The vulnerability was fixed in releases pdm-14.0.1.0.0, pdm-15.0.1.0.0, and pdm-16.0.1.0.0 [1].
Exploitation
A remote authenticated attacker, who may be a portal user or internal user of an Odoo instance with the pdm module installed, can exploit this vulnerability by sending an XML-RPC request to the plm.config.settings model through Odoo's External API. The attacker triggers the GetUpdateTableData method with a crafted request parameter containing malicious SQL. The injected payload is appended to the existing SQL query and executed via the database cursor [1]. The attacker does not require specific elevated permissions; a portal user account suffices [1].
Impact
Successful exploitation allows the attacker to achieve privilege escalation and information disclosure. By injecting arbitrary SQL, the attacker can read sensitive data from the database (including records from other modules) and potentially escalate privileges within the Odoo instance [1]. The full impact could extend to arbitrary code execution if the database permits command execution via SQL functions, though the primary gain is unauthorized data access and privilege elevation.
Mitigation
The vendor has released patched versions: pdm-14.0.1.0.0, pdm-15.0.1.0.0, and pdm-16.0.1.0.0 [1]. All users are strongly advised to update their pdm module to the corresponding fixed version immediately. There are no known workarounds; updating the module is the only effective mitigation. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. No EOL status has been announced for the affected versions.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Didotech srl/Engineering & Lifecycle Managementdescription
- Range: <=16.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the GetUpdateTableData method allows user-supplied SQL to be concatenated into a query executed via the database cursor."
Attack vector
A remote authenticated attacker (even a portal user with no special permissions) sends an XML-RPC call to the `plm.config.settings` model through the External API, invoking the `GetUpdateTableData` method with a crafted `request` parameter [ref_id=1]. The attacker's payload embeds arbitrary SQL statements into the existing query, which are then executed through the database cursor [ref_id=1]. For example, the PoC shows a payload that modifies the admin password via an injected `UPDATE` statement [ref_id=1]. This allows privilege escalation, information disclosure, and data tampering [ref_id=1].
Affected code
The vulnerability resides in `models/base_client.py` within the `pml_config_settings::GetUpdateTableData(request, default)` method [ref_id=1]. This method is public and callable via the Odoo External API, making it accessible to any authenticated user of an Odoo instance with the pdm module installed [ref_id=1].
What the fix does
The advisory states that a patch has been made available by the module's vendor before the repository was made public, with fixed versions pdm-14.0.1.0.0, pdm-15.0.1.0.0, and pdm-16.0.1.0.0 [ref_id=1]. The researcher suggests that a possible patch could make use of prepared statements to safely handle user input, or make the affected method private so it is no longer callable from the External API [ref_id=1]. The specific patch diff is not included in the bundle.
Preconditions
- authAttacker must be an authenticated user (portal or internal) of an Odoo instance with the pdm module installed
- networkThe vulnerable GetUpdateTableData method must be accessible via the External API (XML-RPC)
- inputAttacker must craft a request parameter containing a malicious SQL payload
Reproduction
The PoC demonstrates sending an XML-RPC call to `models.execute_kw` targeting the `plm.config.settings` model with method `GetUpdateTableData` and arguments `[["ext_document", "2023-08-02'; UPDATE res_users SET password='whatever' WHERE login='admin'; SELECT password FROM res_users WHERE login='admin'; -- "]]` [ref_id=1]. A recorded demo of the PoC and the exploit code are available under the referenced directory [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.