CVE-2023-26574
📋 TL;DR
CVE-2023-26574 allows unauthenticated attackers to extract sensitive student data from IDAttend's IDWeb application by exploiting missing authentication in the SearchStudents method. This affects organizations using IDWeb version 3.1.052 and earlier for student attendance management.
💻 Affected Systems
- IDAttend IDWeb
📦 What is this software?
Idweb by Idattend
⚠️ Risk & Real-World Impact
Worst Case
Mass exfiltration of all student personal data including names, IDs, contact information, and potentially attendance records, leading to privacy violations and regulatory penalties.
Likely Case
Unauthorized access to student information that could be used for identity theft, social engineering, or harassment.
If Mitigated
Limited exposure if network segmentation prevents external access, but internal threats remain possible.
🎯 Exploit Status
The vulnerability requires no authentication and minimal technical skill to exploit via direct API calls or web requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.053 or later
Vendor Advisory: https://www.themissinglink.com.au/security-advisories/cve-2023-26574
Restart Required: Yes
Instructions:
1. Download latest version from IDAttend vendor portal. 2. Backup current installation. 3. Run installer to upgrade. 4. Restart application services. 5. Verify authentication is required for SearchStudents method.
🔧 Temporary Workarounds
Network Access Control
windowsRestrict access to IDWeb application to authorized IP addresses only
# Example firewall rule (Windows): New-NetFirewallRule -DisplayName "Restrict IDWeb" -Direction Inbound -LocalPort 80,443 -Protocol TCP -Action Allow -RemoteAddress 192.168.1.0/24
Web Application Firewall Rule
allBlock unauthenticated requests to SearchStudents endpoint
# Example ModSecurity rule: SecRule REQUEST_URI "@contains /SearchStudents" "id:1001,phase:1,deny,status:403,msg:'Unauthorized SearchStudents access'"
🧯 If You Can't Patch
- Implement network segmentation to isolate IDWeb from untrusted networks
- Deploy a reverse proxy with authentication requirements for all /SearchStudents requests
🔍 How to Verify
Check if Vulnerable:
Attempt to access /SearchStudents endpoint without authentication. If data is returned, system is vulnerable.Check Version:
Check Help > About in IDWeb interface or examine application files for version informationVerify Fix Applied:
Attempt same unauthenticated access to /SearchStudents endpoint. Should receive authentication error or no data.📡 Detection & Monitoring
Log Indicators:
- Multiple unauthenticated requests to /SearchStudents endpoint
- Unusual data volume from IDWeb application
Network Indicators:
- HTTP GET/POST requests to /SearchStudents without authentication headers
- Unusual outbound data transfers from IDWeb server
SIEM Query:
source="idweb.log" AND (uri="/SearchStudents" OR uri CONTAINS "SearchStudents") AND NOT (user!="" OR auth_token EXISTS)