CVE-2024-34534
Description
A SQL injection vulnerability in Cybrosys Techno Solutions Text Commander module (aka text_commander) 16.0 through 16.0.1 allows a remote attacker to gain privileges via the data parameter to models/ir_model.py:IrModel::chech_model.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Cybrosys Text Commander module for Odoo allows remote attacker to gain privileges via crafted data parameter.
The vulnerability is a SQL injection in the IrModel::check_model method of the Text Commander module (text_commander) for Odoo 16.0 through 16.0.1 [1]. The data parameter is unsanitized and directly used in SQL queries, allowing an attacker to inject arbitrary SQL commands.
An attacker with portal or internal user access to an Odoo instance can trigger the check_model method via the External API (XML-RPC) by passing a crafted data argument [1]. No special privileges are required beyond a valid user account with access to the API.
Successful exploitation allows the attacker to execute arbitrary SQL queries, leading to privilege escalation (e.g., changing the admin password) and information disclosure [1]. The PoC demonstrates changing the admin password to 'a', effectively taking over the administrator account.
No official patch is mentioned in the reference; however, the vulnerability was disclosed responsibly. Users should update the module if a fix becomes available or consider disabling the module if not needed [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 16.0.0 - 16.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.