Unauthenticated SQL Injection In IDAttend’s IDWeb Application

Vulnerability

An unauthenticated SQL injection vulnerability exists in the GetCurrentPeriod method of IDAttend's IDWeb application. Versions 3.1.052 and earlier are affected, with the issue discovered in version 3.1.013 [1]. The vulnerability allows an attacker to inject arbitrary SQL queries via the method's input parameters without requiring any authentication.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the GetCurrentPeriod endpoint with malicious SQL payloads. No authentication or prior access is needed. The attacker only needs network access to the vulnerable application.

Impact

Successful exploitation enables an unauthenticated attacker to extract or modify all data stored in the underlying database. This includes sensitive information such as user credentials, personal data, and application configuration, leading to a complete compromise of data confidentiality and integrity.

Mitigation

The issue is fixed in IDWeb version 3.1.053 [1]. Users should upgrade to this version or later immediately. No workarounds are documented. If upgrading is not possible, restrict network access to the application as a temporary measure.