CVE-2022-31884 Marval MSM has an Improper Access Control vulnerability which allows low privilege users to delete other users API Keys including Administrator ones.

Marval MSM v14.19.0.12476 has an Insufficient Session Management vulnerability which allows a low privilege user to view another user’s sessions.

CVSS Score: 7.5/10 Exploitation: Remotely Local Privilege Escalation Risk: Medium/ High Description: Marval MSM v14.19.0.12476 has a Password Strength Inadequate vulnerability.

CVSS Score: 5.9/10 Exploitation: Local Attack Required Risk: Medium/ High Description: Marval MSM v14.19.0.12476 has an Insufficient Authentication Vulnerabilities which allows low privilege users to change another user’s password.

CVSS Score: 5.9/10 Exploitation: Remotely Local Attack Required Risk: Medium/ High Description: Marval MSM v14.19.0.12476 has a Weak Authentication Vulnerabilities which allows low privilege users to change another user’s password.

CVSS Score: 7.5/10 Exploitation: Remotely Local Privilege Escalation Risk: Medium/ High Description: Marval MSM v14.19.0.12476 has an Insufficient Session Management vulnerability which allows a low privilege user to view another user’s sessions.

Marval MSM Firmware Description

Marval MSM is a French manufacturer of Digital Signage, Video Walls and Interactive Displays.

Marval MSM v14.19.0.12476 has a Password Strength Inadequate vulnerability which allows low privilege users to change another user’s password.
This vulnerability is due to the lack of password validation on the initial login process which allows low privilege users to change any password by entering their own username and password into the login form in the UI.

Marval MSM v14.19.0.12476 - Password Strength Inadequate

Marval MSM v14.19.0.12476 has a Password Strength Inadequate vulnerability which allows low privilege users to change another user’s password. This is a high severity vulnerability that could allow for malicious users to view sensitive information and perform harmful actions in the system, such as stealing content and data, changing passwords, or deleting other users in the system.

Marval MSM v14.19.0.12476 Product Overview

Marval MSM is a web server application which allows remote management of individual servers or clusters of servers.

Marval MSM v14.19.0.12476 - Password Strength Inadequate Vulnerability

Marval MSM v14.19.0.12476 has a Password Strength Inadequate vulnerability which allows low privilege users to change another user’s password.

Marval MSM V14.19.0.12476 HTTP vulnerabilities

Marval MSM v14.19.0.12476 has an Insufficient Authentication Vulnerabilities which allows low privilege users to change another user’s password.
Marval MSM v14.19.0.12476 has a Weak Authentication Vulnerabilities which allows low privilege users to change another user’s password.

Timeline

Published on: 06/28/2022 22:15:00 UTC
Last modified on: 07/08/2022 01:16:00 UTC

References

• https://marvalglobal.com/
• https://drive.google.com/drive/folders/1lFM9cVUqTlKyDI2azmI1rIF4HoZBt_4i?usp=sharing
• https://cyber-guy.gitbook.io/cyber-guy/pocs/marval-msm/unauthorized-delete-add-api-users-api-keys
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31884