Missing Authentication In IDAttend’s IDWeb Application

Vulnerability

The IDAttend IDWeb application version 3.1.052 and earlier contains a missing authentication vulnerability in the DeleteAssignments method. This allows any unauthenticated remote attacker to call the method and delete attendance assignments stored in the application's database. The affected versions include all releases up to and including 3.1.052 [1].

Exploitation

An attacker does not need any authentication or special network position beyond reachability of the IDWeb application. By sending a crafted HTTP request to the vulnerable DeleteAssignments endpoint, the attacker can trigger deletion of assignment records without any authentication or user interaction [1].

Impact

Successful exploitation allows an attacker to delete arbitrary attendance data stored in the IDWeb application. This compromises the integrity and availability of attendance records, potentially leading to misreported attendance, lost audit trails, and disruption of business processes relying on the data [1].

Mitigation

The vendor has not released a public fix as of October 2023. Users are advised to apply access controls at the network perimeter (e.g., restrict access to the IDWeb application to trusted IP ranges) and monitor for unauthorized uses of the DeleteAssignments endpoint until an official patch is provided [1].