Marval MSM < v15.2 has a Remote Code Execution vulnerability. An authenticated remote attacker is able to execute code in context of the web server.
Marval MSM uses a static encryption key for storing secrets in the database. An attacker that gains access to encrypted secrets can decrypt them using keys from another instance.
Marval MSM < v15.1 has a System account with default credentials. A remote attacker is able to login and create a valid session which makes it possible to make backend calls to certain endpoints in the application.