CVE-2024-34533
Description
A SQL injection vulnerability in ZI PT Solusi Usaha Mudah Analytic Data Query module (aka izi_data) 11.0 through 17.x before 17.0.3 allows a remote attacker to gain privileges via a query to IZITools::query_check, IZITools::query_fetch, or IZITools::query_execute.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in ZI PT Solusi Usaha Mudah Analytic Data Query module allows remote privilege escalation via crafted queries to IZITools methods.
Vulnerability
CVE-2024-34533 is a SQL injection vulnerability in the ZI PT Solusi Usaha Mudah Analytic Data Query module (izi_data) for Odoo. The flaw affects versions 11.0 through 17.x before 17.0.3 and resides in the IZITools::query_check, IZITools::query_fetch, and IZITools::query_execute methods.
Attack
Vector A remote attacker, authenticated as a portal or internal user of an Odoo instance with the module installed, can trigger these methods via the External API (e.g., XML-RPC). By passing a crafted query argument, the attacker injects arbitrary SQL commands that are executed through the database cursor [1].
Impact
Successful exploitation allows an attacker to escalate privileges, modify database records (e.g., changing the admin password), and disclose sensitive information. The provided proof-of-concept demonstrates changing the admin password to a known value [1].
Mitigation
The vendor has released a patch in version 17.0.3 of the module. Users are advised to update to this version or later. The disclosure followed responsible practices, and exploit details were published after the patch was available [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: >=11.0, <17.0.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.