Skip to main content

Engineering Lifecycle Management CVE-2023-40957

HIGH
SQL Injection (CWE-89)
2023-09-15 cve@mitre.org
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Sep 15, 2023 - 00:15 nvd
HIGH 8.8

DescriptionNVD

A SQL injection vulnerability in Didotech srl Engineering & Lifecycle Management (aka pdm) v.14.0, v.15.0 and v.16.0 fixed in pdm-14.0.1.0.0, pdm-15.0.1.0.0, and pdm-16.0.1.0.0 allows a remote authenticated attacker to execute arbitrary code via the request parameter in models/base_client.py component.

AnalysisAI

A SQL injection vulnerability in Didotech srl Engineering & Lifecycle Management (aka pdm) v.14.0, v.15.0 and v.16.0 fixed in pdm-14.0.1.0.0, pdm-15.0.1.0.0, and pdm-16.0.1.0.0 allows a remote. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. A SQL injection vulnerability in Didotech srl Engineering & Lifecycle Management (aka pdm) v.14.0, v.15.0 and v.16.0 fixed in pdm-14.0.1.0.0, pdm-15.0.1.0.0, and pdm-16.0.1.0.0 allows a remote authenticated attacker to execute arbitrary code via the request parameter in models/base_client.py component. Affected products include: Didotech Engineering \& Lifecycle Management.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2023-40958 HIGH POC
8.8 Sep 15

A SQL injection vulnerability in Didotech srl Engineering & Lifecycle Management (aka pdm) v.14.0, v.15.0 and v.16.0 fix

CVE-2023-40955 HIGH POC
8.8 Sep 15

A SQL injection vulnerability in Didotech srl Engineering & Lifecycle Management (aka pdm) v.14.0, v.15.0 and v.16.0 fix

CVE-2026-3660 CRITICAL
9.8 May 26

Authorization bypass in IBM Engineering Lifecycle Management (ELM) 7.0.3, 7.1.0, and 7.2.0 allows unauthenticated remote

CVE-2026-4051 HIGH
7.2 May 26

Remote code execution in IBM Engineering Lifecycle Management (ELM) versions 7.0.3 through Interim Fix 021, 7.1.0 throug

CVE-2026-3603 HIGH
7.1 May 26

XML External Entity (XXE) injection in IBM Engineering Lifecycle Management (ELM) 7.0.3, 7.1.0, and 7.2.0 allows authent

CVE-2021-20502 HIGH
7.1 Mar 30

IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. R

CVE-2021-20371 MEDIUM
6.5 Jun 02

IBM Jazz Foundation and IBM Engineering products could allow a remote attacker to obtain sensitive information when an e

CVE-2025-36033 MEDIUM
5.4 Feb 03

Engineering Lifecycle Management versions up to 7.0.3 is affected by cross-site scripting (xss) (CVSS 5.4).

CVE-2021-29670 MEDIUM
5.4 Jun 02

IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4

CVE-2021-29668 MEDIUM
5.4 Jun 02

IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4

CVE-2021-20348 MEDIUM
5.4 Jun 02

IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF). Rated medium seve

CVE-2021-20347 MEDIUM
5.4 Jun 02

IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF). Rated medium seve

Share

CVE-2023-40957 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy