CVE-2015-7902

Mango Automation <2.6.0-430 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-7902.

AI-analyzed exploit summary The exploit demonstrates a CSRF-based file upload vulnerability in Mango Automation 2.6.0, allowing arbitrary JSP code execution by uploading a malicious JSP file via the 'graphicalViewsBackgroundUpload' endpoint. It also includes additional exploits for arbitrary command execution and SQL injection.

Description

Infinite Automation Mango Automation 2.5.x and 2.6.x before 2.6.0 build 430 provides different error messages for failed login attempts in unspecified circumstances, which allows remote attackers to obtain sensitive information via a series of requests.

Exploits (1)

exploitdb WORKING POC

webappsjsp

https://www.exploit-db.com/exploits/38338

View Code ZIP pw:eip

The exploit demonstrates a CSRF-based file upload vulnerability in Mango Automation 2.6.0, allowing arbitrary JSP code execution by uploading a malicious JSP file via the 'graphicalViewsBackgroundUpload' endpoint. It also includes additional exploits for arbitrary command execution and SQL injection.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Mango Automation 2.5.2 and 2.6.0 beta (build 327)

Auth required

Prerequisites: Authenticated session · Access to the target application

MITRE ATT&CK

T1189 - Drive-by Compromise T1133 - External Remote Services T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

Patch, Third Party Advisory, US Government Resource x_refsource_misc

https://ics-cert.us-cert.gov/advisories/ICSA-15-300-02

Scores

EPSS 0.0350

EPSS Percentile 87.6%

Details

CWE

CWE-200

Status published

Products (3)

infinite_automation_systems/mango_automation 2.5.0

infinite_automation_systems/mango_automation 2.5.5

infinite_automation_systems/mango_automation 2.6.0

Published Oct 28, 2015

Tracked Since Feb 18, 2026