CVE-2015-7900

Infinite Automation Mango Automation <2.6.0-430 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-7900.

AI-analyzed exploit summary The exploit demonstrates a CSRF-based file upload vulnerability in Mango Automation 2.6.0, allowing arbitrary JSP code execution by uploading a malicious JSP file via the 'graphicalViewsBackgroundUpload' endpoint. It also includes a CSRF exploit for arbitrary command execution via DWR and details for SQL injection and debug log exposure.

Description

Infinite Automation Mango Automation 2.5.x and 2.6.x before 2.6.0 build 430 allows remote attackers to obtain sensitive debugging information by entering a crafted URL to trigger an exception, and then visiting a certain status page.

Exploits (1)

exploitdb WORKING POC
webappsjsp
https://www.exploit-db.com/exploits/38338

The exploit demonstrates a CSRF-based file upload vulnerability in Mango Automation 2.6.0, allowing arbitrary JSP code execution by uploading a malicious JSP file via the 'graphicalViewsBackgroundUpload' endpoint. It also includes a CSRF exploit for arbitrary command execution via DWR and details for SQL injection and debug log exposure.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mango Automation 2.5.2 and 2.6.0 beta (build 327)
Auth required
Prerequisites: Authenticated session · Access to the target server
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1
Core References
Patch, Third Party Advisory, US Government Resource x_refsource_misc
https://ics-cert.us-cert.gov/advisories/ICSA-15-300-02

Scores

EPSS 0.0295
EPSS Percentile 85.3%

Details

CWE
CWE-200
Status published
Products (3)
infinite_automation_systems/mango_automation 2.5.0
infinite_automation_systems/mango_automation 2.5.5
infinite_automation_systems/mango_automation 2.6.0
Published Oct 28, 2015
Tracked Since Feb 18, 2026