Unauthenticated SQL Injection In IDAttend’s IDWeb Application

Vulnerability

The GetExcursionList method in IDAttend's IDWeb application versions 3.1.052 and earlier is vulnerable to unauthenticated SQL injection [1]. The flaw occurs in the method's handling of user-supplied input, which is directly incorporated into SQL queries without proper sanitization or parameterization. No authentication is required to reach the vulnerable code path, and the injection allows an attacker to manipulate arbitrary database queries.

Exploitation

An unauthenticated attacker with network access to the IDWeb application can exploit the GetExcursionList endpoint by crafting a malicious request containing SQL injection payloads [1]. The attacker does not need any prior authentication, session, or special privileges. The exploitation steps involve sending a specially crafted HTTP request to the vulnerable endpoint, injecting SQL commands into the parameter expected by GetExcursionList.

Impact

Successful exploitation allows an unauthenticated attacker to extract or modify all data in the IDWeb application's database [1]. This includes sensitive information such as user credentials, personal data, and application configuration. The attacker achieves full read/write access to the database, leading to complete compromise of confidentiality, integrity, and availability of the stored data.

Mitigation

The vulnerability is fixed in IDWeb version 3.1.053 [1]. Organizations using IDAttend IDWeb versions 3.1.052 or earlier should update to the fixed version immediately. No official workaround is documented; the only reliable mitigation is applying the vendor-supplied patch. As of the publication date, this CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.