CVE-2023-40958
Description
A SQL injection vulnerability in Didotech srl Engineering & Lifecycle Management (aka pdm) v.14.0, v.15.0 and v.16.0 fixed in pdm-14.0.1.0.0, pdm-15.0.1.0.0, and pdm-16.0.1.0.0 allows a remote authenticated attacker to execute arbitrary code via the query parameter in models/base_client.py component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Didotech pdm v14-16 allows remote authenticated attackers to execute arbitrary SQL via query parameter in base_client.py.
Vulnerability
A SQL injection vulnerability exists in the models/base_client.py component of Didotech Engineering & Lifecycle Management (pdm) versions 14.0, 15.0, and 16.0. The methods setExecute, getExecute, and getExectuteQuery in pml_config_settings are vulnerable due to insufficient sanitization of the query parameter [1]. Fixed versions: pdm-14.0.1.0.0, pdm-15.0.1.0.0, pdm-16.0.1.0.0.
Exploitation
A remote authenticated attacker (portal or internal user) can trigger the vulnerability by sending XML-RPC requests to the plm.config.settings model via the External API, passing a crafted SQL query in the query parameter [1]. The attacker does not require special permissions beyond being an authenticated user of the Odoo instance with the pdm module installed.
Impact
Successful exploitation allows the attacker to execute arbitrary SQL queries on the database. This can lead to privilege escalation, information disclosure, and potentially arbitrary code execution as stated in the CVE description [1]. The attacker gains the ability to read, modify, or delete data, and potentially execute system commands, compromising the confidentiality, integrity, and availability of the system.
Mitigation
The vulnerability is fixed in pdm-14.0.1.0.0, pdm-15.0.1.0.0, and pdm-16.0.1.0.0 [1]. Users should upgrade to the latest patched version. The vendor released the patch before public disclosure. No workarounds are mentioned in the available references.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Didotech srl/Engineering & Lifecycle Managementdescription
- Range: = 14.0 / 15.0 / 16.0 fixed in pdm-14.0.1.0.0, pdm-15.0.1.0.0, pdm-16.0.1.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Public methods in `models/base_client.py` accept and execute arbitrary SQL queries from the caller without any sanitization, parameterization, or access control checks."
Attack vector
A remote authenticated attacker (even a portal user with minimal privileges) can exploit this vulnerability by sending an XML-RPC call to the `plm.config.settings` model via the Odoo External API [ref_id=1]. The attacker invokes one of the public methods (`setExecute`, `getExecute`, or `getExectuteQuery`) and passes an arbitrary SQL query as the argument. Because the methods are public and Odoo only checks permissions on CRUD operations—not on method invocations—the attacker's SQL query is executed directly against the database [ref_id=1].
Affected code
The vulnerability resides in `models/base_client.py` within the `pml_config_settings` class. Three methods are affected: `setExecute(query)`, `getExecute(query)`, and `getExectuteQuery(query)` [ref_id=1]. These methods accept a raw SQL query parameter and pass it directly to the database cursor without sanitization or parameterization [ref_id=1].
What the fix does
The advisory states that a patch has been made available by the module's vendor in versions pdm-14.0.1.0.0, pdm-15.0.1.0.0, and pdm-16.0.1.0.0 [ref_id=1]. The patch is not included in the bundle, but the remediation would involve removing or securing the vulnerable methods so that they no longer accept and execute arbitrary SQL queries from unprivileged callers. The advisory does not specify the exact changes made in the patch.
Preconditions
- authAttacker must be an authenticated user (portal or internal) of an Odoo instance with the pdm module installed
- configThe pdm module must be installed on the Odoo instance
- networkAttacker must have network access to the Odoo XML-RPC endpoint
- inputAttacker supplies a crafted SQL query as the method argument
Reproduction
The PoC demonstrates that a portal user named `lucas` sends an XML-RPC call to the `plm.config.settings` model, triggering the `setExecute` method with a crafted SQL query that modifies the admin password [ref_id=1]. The exact call is: `models.execute_kw(db, uid, password, 'plm.config.settings', 'setExecute', ['plm.config.settings', "UPDATE res_users SET password='whatever' WHERE login='admin'"])` [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.