Missing Authentication In IDAttend’s IDWeb Application

Vulnerability

The StudentPopupDetails_EmergencyContactDetails method in IDAttend's IDWeb application versions 3.1.052 and earlier lacks authentication checks [1]. This allows the endpoint to be called without any credentials or session token. The vulnerability was discovered in version 3.1.013 and affects all prior releases [1].

Exploitation

An unauthenticated attacker with network access to the IDWeb application can directly invoke the vulnerable StudentPopupDetails_EmergencyContactDetails method via a crafted HTTP request [1]. No user interaction, special privileges, or prior access is required.

Impact

Successful exploitation enables the attacker to extract sensitive student data, including emergency contact details, from the application's database [1]. The attacker gains information disclosure without any authentication, compromising the confidentiality of student records.

Mitigation

The vulnerability is fixed in IDAttend IDWeb version 3.1.053 [1]. Organizations using versions 3.1.052 or earlier should update immediately. No workarounds are documented in the available references. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.