Marval MSM < v15.1 has a System account with default credentials. A remote attacker is able to login and create a valid session which makes it possible to make backend calls to certain endpoints in the application.
9.1 - Critical
When Marval is installed, the database password for the
System account is set to a default password.
System account is supposed to only be used by Marval itself. It’s however possible to initiate a session using the credentials stored in the database. Even though logging in with this account will not render a working GUI, the session itself can be used to access certain API and Backend functions.
The issues was identified in Marval MSM 126.96.36.19910. The vendor released a fix in version 15.1 which was released six month ahead of the normal release schedule.
Change the password for the System user in the database or set it to NULL.
Upgrade to version 15.1 or later.
Vulnerabilites are disclosed, if not fixed earlier, after a minimum of 90 days from being reported to the vendor. If a patch is made available we give another 30 days in addition to the initial 90 days (90+30). This is to ensure that the vendor can inform customers and give them sufficient time to patch any vulnerable systems. We make all effort in to providing sufficient time for vendors to create and make patches available to the public before disclosure. For any questions regarding our vulnerability disclosures, feel free to contact us.
This vulnerability was resolved under ticket MSM-6514 in version 15.1 (2022-07-14), which is not an LTS release, however we considered it important enough to resolve 6 months ahead of our normal hardening schedule.
The Marval Pen Test policy dictates at a minimum that once a year, a release is security hardened by outsourcing penetration testing to a certified partner and subsequent rectifying the serious and critical issues prior to release. This release is called a long-term support release (LTS) and made available between January-February each year.