CVE-2015-6494

Mango Automation 2.5.x and 2.6.x < 2.6.0 build 430 - Authenticated Cross-Site Scripting

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-6494.

AI-analyzed exploit summary The exploit demonstrates a CSRF-based file upload vulnerability in Mango Automation 2.6.0, allowing arbitrary JSP code execution by uploading a malicious JSP file via the 'graphicalViewsBackgroundUpload' endpoint. It also includes a CSRF exploit for arbitrary command execution via DWR and details for SQL injection and debug log exposure.

Description

Cross-site scripting (XSS) vulnerability in Infinite Automation Mango Automation 2.5.x and 2.6.x before 2.6.0 build 430 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Exploits (1)

exploitdb WORKING POC
webappsjsp
https://www.exploit-db.com/exploits/38338

The exploit demonstrates a CSRF-based file upload vulnerability in Mango Automation 2.6.0, allowing arbitrary JSP code execution by uploading a malicious JSP file via the 'graphicalViewsBackgroundUpload' endpoint. It also includes a CSRF exploit for arbitrary command execution via DWR and details for SQL injection and debug log exposure.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mango Automation 2.5.2 and 2.6.0 beta (build 327)
Auth required
Prerequisites: Authenticated session · Access to the target web interface
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1
Core References
Patch, Third Party Advisory, US Government Resource x_refsource_misc
https://ics-cert.us-cert.gov/advisories/ICSA-15-300-02

Scores

EPSS 0.0175
EPSS Percentile 74.8%

Details

CWE
CWE-79
Status published
Products (3)
infinite_automation_systems/mango_automation 2.5.0
infinite_automation_systems/mango_automation 2.5.5
infinite_automation_systems/mango_automation 2.6.0
Published Oct 28, 2015
Tracked Since Feb 18, 2026