CVE-2015-7904 - Unrestricted file upload vulnerability in Infinite Automation Mango Automation 2.5.x and 2.6.x befor

CVE-2015-7904

Summary

Unrestricted file upload vulnerability in Infinite Automation Mango Automation 2.5.x and 2.6.x before 2.6.0 build 430 allows remote authenticated users to execute arbitrary JSP code via vectors involving an upload of an image file. <a href="http://cwe.mitre.org/data/definitions/434.html">CWE-434: Unrestricted Upload of File with Dangerous Type</a>

References

https://ics-cert.us-cert.gov/advisories/ICSA-15-300-02

Vulnerable Configurations

cpe:2.3:a:infinite_automation_systems:mango_automation:2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:infinite_automation_systems:mango_automation:2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:infinite_automation_systems:mango_automation:2.5.5:*:*:*:*:*:*:*
cpe:2.3:a:infinite_automation_systems:mango_automation:2.5.5:*:*:*:*:*:*:*
cpe:2.3:a:infinite_automation_systems:mango_automation:2.6.0:*:*:*:*:*:*:*
cpe:2.3:a:infinite_automation_systems:mango_automation:2.6.0:*:*:*:*:*:*:*

CVSS

Base:	6.5 (as of 28-10-2015 - 21:05)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	SINGLE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:S/C:P/I:P/A:P

refmap via4

misc

https://ics-cert.us-cert.gov/advisories/ICSA-15-300-02

Last major update

28-10-2015 - 21:05

Published

28-10-2015 - 10:59

Last modified

28-10-2015 - 21:05