The database account and password are hardcoded, allowing login with the account to manipulate the database in MagicInfo9 Server.This issue affects MagicINFO 9 Server: less than 21.1090.1.
The vulnerability results from the use of static, hard-coded database credentials embedded in the application code (CWE-798 — Use of Hard-coded Credentials). An attacker who learns these credentials — for example through analysis of application files or publicly available information — can directly connect to the server database. The connection is possible without any authentication on the attacker's side, as the hard-coded credentials present in the application are sufficient. After gaining access, the attacker can read, modify, or delete data stored in the database.
Attackers gain full access to the MagicINFO 9 Server database, allowing them to read confidential data, modify it, or delete it, and consequently may lead to complete takeover of the digital signage system.
Samsung MagicINFO 9 Server should be updated to version 21.1090.1 or newer. Detailed information about available patches is available from the vendor at: https://security.samsungtv.com/securityUpdates
Samsung MagicINFO 9 Server in all versions older than 21.1090.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSamsung Magicinfo 9 Server
APPSamsung< 21.1090.1
Related vulnerabilities
Path Traversal w Samsung MagicINFO 9 Server — zapis plików jako SYSTEM
Samsung MagicINFO 9 Server — Stored XSS przez upload plików HTML
Path Traversal w Samsung MagicINFO 9 Server umożliwia wgranie web shell
Samsung MagicINFO 9 Server — nieograniczony upload pliku umożliwia Code Injection
Samsung MagicINFO 9 Server — nieograniczony upload pliku umożliwia Code Injection