Missing Authentication In IDAttend’s IDWeb Application

Vulnerability

The IDAttend IDWeb application version 3.1.052 and earlier contains a missing authentication vulnerability in the GetStudentGroupStudents method. This method does not enforce any access control, allowing unauthenticated attackers to invoke it directly. The vulnerability affects all versions up to and including 3.1.052, as confirmed in the advisory [1].

Exploitation

An unauthenticated attacker with network access to the IDWeb application can send crafted HTTP requests to the vulnerable GetStudentGroupStudents endpoint. No authentication, session token, or prior user interaction is required. The advisory does not detail the exact request format, but the method is exposed over the web interface [1].

Impact

Successful exploitation allows an unauthenticated attacker to extract sensitive student and teacher data, including personally identifiable information (PII). This results in a breach of confidentiality (CIA impact: confidentiality). The attacker does not gain write access or code execution, but the exposed data could be used for further attacks or sold [1].

Mitigation

The vulnerability is fixed in IDAttend IDWeb version 3.1.053, released according to the advisory. Users must upgrade to version 3.1.053 or later. No workaround is available for older versions. The vendor should be contacted if immediate patching is not possible [1].