Critical SQL Injection Vulnerability Patches IDAttend Student Management System

CVECVE-2023-26568
CVSScvssV3_1: 9.8
SourceCVE-2023-26568

IDAttend, a student management system used by many schools, has released an update to patch a serious SQL injection vulnerability.

The vulnerability was found in the GetStudentGroupStudents method of IDWeb, IDAttend’s web application. This method allows retrieving student group data without authentication. Attackers could exploit it to extract or modify any data from the database by manipulating the SQL queries.

SQL injection is a type of injection attack where malicious SQL statements can be inserted into an entry field for execution by the backend database. This allows attackers to view sensitive data like usernames and passwords. They can also add, modify or delete records in the database.

As the vulnerability was present in an unauthenticated method, any attacker could exploit it without needing valid login credentials. This made schools using the affected versions highly vulnerable to data breaches or manipulation.

IDAttend has now released versions 3.1.053 and above that fix this issue. Administrators of IDAttend systems are advised to immediately update to the latest version to close this critical security hole. Regular application of software updates is also recommended to patch vulnerabilities as they are discovered. Proper user access control and input validation can further reduce risks from injection attacks.

References