CVE-2023-40958

Name of the Vulnerable Software and Affected Versions Didotech srl Engineering & Lifecycle Management (aka pdm) versions 14.0 through 16.0

Description A SQL injection issue allows a remote authenticated attacker to execute arbitrary code via the query parameter in the models/base client.py component.

Recommendations For versions 14.0 through 16.0, update to pdm-14.0.1.0.0, pdm-15.0.1.0.0, or pdm-16.0.1.0.0 respectively to resolve the issue. As a temporary workaround, consider restricting access to the query parameter in the models/base client.py component until a patch is applied.