Unauthenticated SQL Injection In IDAttend’s IDWeb Application

Vulnerability

An unauthenticated SQL injection vulnerability exists in the StudentPopupDetails_Timetable method of IDAttend's IDWeb application, versions 3.1.052 and earlier. The flaw was discovered in version 3.1.013 and affects all prior builds. No authentication or special configuration is required to reach the vulnerable code path, making it accessible to any remote attacker.

Exploitation

An attacker can exploit this vulnerability without any prior authentication or user interaction. The attack requires only network access to the IDWeb application's HTTP endpoint. By sending specially crafted SQL statements as part of a request to the StudentPopupDetails_Timetable method, an unauthenticated attacker can execute arbitrary SQL commands against the backend database.

Impact

Successful exploitation allows an unauthenticated attacker to extract or modify all data stored in the application's database. This includes potentially sensitive information such as student records and other personal data. The impact is a complete compromise of data confidentiality and integrity, with the attacker gaining the ability to read, insert, update, or delete any database content.

Mitigation

The vulnerability has been fixed in IDWeb version 3.1.053, released on an unknown date but prior to the advisory publication on 2023-10-25. Organizations running version 3.1.052 or earlier should immediately upgrade to 3.1.053 or later. No workarounds have been provided. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the advisory date [1].