CVE-2021-31928

Vulnerability

Annex Cloud Loyalty Experience Platform prior to version 2021.1.0.1 contains an access control vulnerability that allows any authenticated attacker to escalate their privileges to the superadministrator role [1]. The issue is present in all versions before 2021.1.0.2, where the fix was implemented [1].

Exploitation

An attacker only needs a valid authenticated session on the platform—no additional privileges or special network position is required. The lack of proper privilege checks allows the attacker to perform actions that grant superadministrator access without any user interaction [1].

Impact

Upon successful exploitation, the attacker gains full superadministrator privileges, which provides unrestricted access to all platform features, configurations, and data. This leads to complete compromise of confidentiality, integrity, and availability of the loyalty experience platform [1].

Mitigation

The vulnerability is fixed in version 2021.1.0.2 [1]. All users should upgrade to this version or later. No workarounds are documented in the available references [1].