School Management Software IDWeb Vulnerable to Data Breach

CVECVE-2023-27376
CVSScvssV3_1: 7.5
SourceCVE-2023-27376

The student information management software IDWeb, developed by IDAttend, contains a vulnerability that could allow attackers to access sensitive student data without authentication.

The vulnerability exists in the StudentPopupDetails_StudentDetails method, which is used to display student details. By manipulating parameters, unauthenticated attackers can extract information meant only for authorized users. This may include names, grades, medical conditions and other private details of students.

Attackers could exploit this issue by crafting specially crafted HTTP requests to the vulnerable method. As no authentication is required, anyone aware of the vulnerability could potentially access the personal records of students.

Schools and institutions using IDWeb versions 3.1.052 or lower are recommended to urgently update to the latest version, which resolves this security flaw. Administrators should also audit the logs for signs of unauthorized access during the vulnerable window.

Students and parents entrust schools with sensitive data. It is important for education technology providers to follow secure coding practices and address issues promptly. Regular software updates can help prevent such vulnerabilities from being exploited in the first place.

References