CVE-2021-31927

Vulnerability

An Insecure Direct Object Reference (IDOR) vulnerability exists in Annex Cloud Loyalty Experience Platform versions prior to 2021.1.0.2 [1][2]. The vulnerability allows any authenticated attacker to modify any existing user, including users assigned to different environments and clients, due to improper access control checks on user modification endpoints [1]. The issue was fixed in version 2021.1.0.2 [1].

Exploitation

An attacker needs to be authenticated to the Annex Cloud Loyalty Experience Platform [1]. Once authenticated, the attacker can craft requests targeting user modification endpoints, directly referencing user identifiers that belong to other environments or clients without proper authorization checks [1]. No additional privileges beyond standard authentication are required to exploit this flaw.

Impact

Successful exploitation allows an authenticated attacker to arbitrarily modify user accounts across different environments and clients within the platform [1]. This can lead to unauthorized privilege escalation, data integrity compromise, and potential lateral movement or account takeover, violating the confidentiality and integrity of user data [1].

Mitigation

The vulnerability is fixed in Annex Cloud Loyalty Experience Platform version 2021.1.0.2 [1]. Organizations using affected versions (prior to 2021.1.0.2) should upgrade immediately to the fixed release [1][2]. No workarounds are documented in the available references [1][2].