Unauthenticated SQL Injection In IDAttend’s IDWeb Application

Vulnerability

The DeleteRoomChanges method in IDAttend's IDWeb application versions 3.1.052 and earlier (discovered in 3.1.013) is vulnerable to unauthenticated SQL injection [1]. An attacker can inject arbitrary SQL commands without any authentication, as the method does not properly sanitize user input before constructing database queries. This affects all installations running the affected versions.

Exploitation

An unauthenticated attacker can send crafted HTTP requests to the vulnerable DeleteRoomChanges endpoint. No prior authentication or special network position is required; the attacker only needs network access to the IDWeb application. By manipulating input parameters, the attacker can inject SQL statements that are executed by the backend database.

Impact

Successful exploitation allows the attacker to extract or modify all data stored in the database. This includes sensitive information such as user credentials, attendance records, and other application data. The attacker gains full read and write access to the database, leading to complete compromise of data confidentiality and integrity.

Mitigation

The vulnerability is fixed in IDWeb version 3.1.053 [1]. Users should upgrade to this version or later immediately. No workarounds are mentioned in the available references. The CVE is not listed in the KEV catalog as of the publication date.