Student Data at Risk in IDAttend Web Application – Update Now!

CVECVE-2023-27377
CVSScvssV3_1: 7.5
SourceCVE-2023-27377

The IDAttend web application, used by many schools to manage student data, was found to have a vulnerability that could allow hackers to access sensitive student information without authentication.

The vulnerability resides in the StudentPopupDetails_EmergencyContactDetails method, which displays emergency contact details for a student. By manipulating parameters, attackers could trigger this method to display details without needing to log in. This would leak names, phone numbers, addresses and other private data submitted by parents and guardians.

Attackers could exploit this from anywhere on the public internet. All they need to do is craft a specially formatted URL targeting the vulnerable method. Any student records accessible through that method would be exposed.

The good news is administrators can get ahead of this risk by updating their IDAttend installations to version 3.1.053 or later, which fixes the flaw. Users should also be cautious about clicking links or attachments from unknown sources, as phishing attacks could potentially abuse this vulnerability.

By taking a few minutes to update your software, schools can help protect the sensitive details of students and their families. Staying on top of patches is one of the best ways to secure systems from these kinds of vulnerabilities.

References