Missing Authentication In IDAttend’s IDWeb Application

Vulnerability

IDAttend's IDWeb application versions 3.1.052 and earlier contain a missing authentication vulnerability in the SetStudentNotes method. The method does not verify the identity of the caller, allowing any HTTP request to that endpoint to modify student note data without requiring credentials or session tokens [1].

Exploitation

An unauthenticated attacker can send crafted HTTP requests directly to the SetStudentNotes endpoint from any network position that can reach the IDWeb server. No prior authentication or user interaction is needed. By supplying arbitrary student identifiers and note content, the attacker can overwrite existing notes for any student [1].

Impact

Successful exploitation results in unauthorized modification of student notes, impacting the integrity of student records. The attacker does not gain administrative access but can corrupt or falsify data stored in the application, potentially affecting school operations or record-keeping [1].

Mitigation

A fix has been released in IDWeb version 3.1.053 and later. Users should update to the latest version immediately. No workarounds are available as the issue stems from a missing authentication check in a core API method [1].