CVE-2015-7901
published 2015-10-28CVE-2015-7901: Infinite Automation Mango Automation 2.5.x and 2.6.x through 2.6.0 build 430 allows remote authenticated users to execute arbitrary OS commands via unspecified…
PriorityP344medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
3.26%
86.8th percentile
Infinite Automation Mango Automation 2.5.x and 2.6.x through 2.6.0 build 430 allows remote authenticated users to execute arbitrary OS commands via unspecified vectors.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| infinite_automation_systems | mango_automation | — | — |
| infinite_automation_systems | mango_automation | — | — |
| infinite_automation_systems | mango_automation | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cmj6-phxg-4vx7: Infinite Automation Mango Automation 2
ghsa_unreviewed·2022-05-17
CVE-2015-7901 [MEDIUM] CWE-78 GHSA-cmj6-phxg-4vx7: Infinite Automation Mango Automation 2
Infinite Automation Mango Automation 2.5.x and 2.6.x through 2.6.0 build 430 allows remote authenticated users to execute arbitrary OS commands via unspecified vectors.
CISA ICS
Infinite Automation Systems Mango Automation Vulnerabilities (Update A)
cisa_ics·2015-10-27
Infinite Automation Systems Mango Automation Vulnerabilities (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Infinite Automation Systems Mango Automation Vulnerabilities (Update A)
Last RevisedAugust 27, 2018
Alert CodeICSA-15-300-02A
## OVERVIEW
This updated advisory is a follow-up to the original advisory titled ISCA-15-300-02 Infinite Automation Systems Mango Automation Vulnerabilities that was published October 27, 2015, on the NCCIC/ICS-CERT web site.
Steven Seeley of Source Incite and Gjoko Krstic of Zero Science Lab have independently identified vulnerabilities in the Infinite Automation Systems Mango Automation application.
## --------- Begin Update A Part 1 of 3 --------
In
No detection rules found.
Exploit-DB
Infinite Automation Mango Automation - Command Injection (Metasploit)
exploitdb·2017-09-13
CVE-2015-7901 Infinite Automation Mango Automation - Command Injection (Metasploit)
Infinite Automation Mango Automation - Command Injection (Metasploit)
---
require 'msf/core'
class MetasploitModule 'Infinite Automation Mango Automation Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability found in Infinite
Automation Systems Mango Automation v2.5.0 - 2.6.0 beta (builds prior to
430).
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2015-7901' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-15-300-02' ]
],
'DisclosureDate' => 'Oct 28 2015'))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ false, 'Base path to Mango Automation', '/login.htm']),
OptString.new('CMD', [ false, 'The OS command to execute', 'calc.exe']),
OptString.new('USER', [true, 'The username t
Exploit-DB
Mango Automation 2.6.0 - Multiple Vulnerabilities
exploitdb·2015-09-28
CVE-2015-7904 Mango Automation 2.6.0 - Multiple Vulnerabilities
Mango Automation 2.6.0 - Multiple Vulnerabilities
---
Mango Automation 2.6.0 CSRF File Upload And Arbitrary JSP Code Execution
Vendor: Infinite Automation Systems Inc.
Product web page: http://www.infiniteautomation.com/
Affected version: 2.5.2 and 2.6.0 beta (build 327)
Summary: Mango Automation is a flexible SCADA, HMI And Automation software application that allows you
to view, log, graph, animate, alarm, and report on data from sensors, equipment, PLCs, databases, webpages,
etc. It is easy, affordable, and open source.
Desc: Mango suffers from an authenticated arbitrary JSP code execution. The vulnerability is caused due
to the improper verification of uploaded image files in 'graphicalViewsBackgroundUpload' script via the
'backgroundImage' POST parameter which allows of arbitrar
No writeups or analysis indexed.
2015-10-28
Published