CVE-2021-31929

Vulnerability

Annex Cloud Loyalty Experience Platform versions prior to 2021.1.0.1 contain an access control vulnerability. Any authenticated user can modify loyalty campaigns and settings, such as fraud prevention, coupon groups, email templates, or referrals. The vulnerability exists in the platform's administrative functionality, where insufficient authorization checks allow authenticated users to perform modifications that should be restricted to higher-privileged roles.

Exploitation

An attacker needs valid credentials for any user account on the Annex Cloud Loyalty Experience Platform. With those credentials, the attacker can access the administrative interface and modify various loyalty program configurations, including fraud prevention rules, coupon groups, email templates, and referral settings. No additional privileges or user interaction is required beyond authentication.

Impact

Successful exploitation allows the attacker to alter critical loyalty program settings, potentially leading to unauthorized coupon generation, modification of email templates (which could be used for phishing), disabling fraud prevention measures, or manipulating referral programs. This could result in financial loss, reputational damage, and compromise of the loyalty platform's integrity.

Mitigation

The vulnerability is fixed in Annex Cloud Loyalty Experience Platform version 2021.1.0.1. Organizations should upgrade to this version or later. No workarounds are documented in the available references. If upgrading is not immediately possible, administrators should review and restrict user permissions to the minimum necessary.