Missing Authentication In IDAttend’s IDWeb Application

Vulnerability

The IDAttend IDWeb application version 3.1.052 and earlier contains a missing authentication vulnerability in the StudentPopupDetails_ContactDetails method [1]. This flaw allows an unauthenticated attacker to directly access the method without any required credentials or session checks [1]. The issue was initially discovered in version 3.1.013 [1].

Exploitation

An attacker with network access to the IDWeb application can send a crafted HTTP request to the vulnerable StudentPopupDetails_ContactDetails endpoint [1]. No authentication, prior knowledge, or user interaction is required for exploitation [1]. The attack complexity is low, as the endpoint is reachable without special conditions [1].

Impact

Successful exploitation enables an unauthenticated attacker to extract sensitive student data from the application [1]. The impact is primarily to confidentiality, as the attacker can read protected student records without authorization [1]. The attacker does not gain any system-level access or privilege escalation beyond the data accessible via this endpoint [1].

Mitigation

The vulnerability is fixed in IDAttend IDWeb version 3.1.053, released after the advisory [1]. Organizations running version 3.1.052 or earlier should upgrade to version 3.1.053 or later immediately [1]. No workarounds have been publicly documented; applying the vendor patch is the recommended mitigation [1].