Missing Authentication In IDAttend’s IDWeb Application

Vulnerability

The SearchStudentsRFID method in IDAttend's IDWeb application version 3.1.052 and earlier lacks authentication. This endpoint is accessible without any login requirement, allowing anyone to query student data via RFID search parameters. The vulnerability exists in the IDWeb codebase prior to the 3.1.053 fix. [1]

Exploitation

An unauthenticated attacker can directly call the SearchStudentsRFID endpoint over the network. No special access or position is needed; the attacker simply sends a request to the vulnerable URL. The method processes the request and returns sensitive student information without verifying the caller's identity. [1]

Impact

Successful exploitation enables the attacker to extract sensitive student data, such as names, identification numbers, and RFID tag details. This constitutes a data breach with potential privacy violations. Since the attacker gains access without any authentication, the impact is limited to data exposure but does not involve privilege escalation within the application. [1]

Mitigation

The vendor fixed the vulnerability in version 3.1.053 of IDWeb. Users should upgrade to this release or later to eliminate the missing authentication. If upgrading is not immediately feasible, administrators may implement network-level access controls or add authentication checks as interim workarounds, but the permanent solution is the patched version. [1]