CVE-2015-20115

| EUVD-2015-9411 HIGH
2026-03-15 VulnCheck
7.2
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
EUVD ID Assigned
Mar 15, 2026 - 19:00 euvd
EUVD-2015-9411
Analysis Generated
Mar 15, 2026 - 19:00 vuln.today
CVE Published
Mar 15, 2026 - 18:34 nvd
HIGH 7.2

Tags

PHP XSS Realtyscript

Description

Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize file uploads, allowing attackers to store malicious scripts through the file POST parameter in admin/tools.php. Attackers can upload files containing JavaScript code that executes in the context of admin/tools.php when accessed by other users.

Analysis

Stored cross-site scripting (XSS) vulnerability in Next Click Ventures RealtyScript 4.0.2 that allows attackers to upload malicious JavaScript files through unsanitized file uploads in admin/tools.php. With a publicly available proof-of-concept exploit and a CVSS score of 7.2, attackers can execute JavaScript in the context of other users' browsers without authentication, though the vulnerability is not listed in CISA KEV and has no EPSS score indicating limited real-world exploitation.

Technical Context

The vulnerability affects RealtyScript (CPE: cpe:2.3:a:next_click_ventures:realtyscript:*:*:*:*:*:*:*:*), a PHP-based real estate management system. The root cause is improper input validation (CWE-79) in the file upload functionality of admin/tools.php, where the 'file' POST parameter fails to sanitize uploaded content. This allows attackers to upload files containing JavaScript code that executes when other users access the uploaded files through the application, resulting in stored/persistent XSS rather than reflected XSS.

Affected Products

Next Click Ventures RealtyScript version 4.0.2 is confirmed vulnerable according to EUVD-2015-9411. The CPE string indicates all versions may be affected (cpe:2.3:a:next_click_ventures:realtyscript:*:*:*:*:*:*:*:*), though only 4.0.2 is explicitly confirmed. The vulnerability specifically affects the admin/tools.php file upload functionality in PHP-based installations.

Remediation

No official patch information is available in the provided references. The vendor advisory links point to third-party security research (zeroscience.mk and vulncheck.com) rather than official vendor communications. Recommended mitigations include: 1) Implement strict file upload validation and sanitization in admin/tools.php, 2) Restrict file upload permissions to trusted administrators only, 3) Implement Content Security Policy (CSP) headers to mitigate XSS impact, 4) Consider upgrading to a newer version if available or switching to an actively maintained alternative given the software's age.

Priority Score

56
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: +20

Share

CVE-2015-20115 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy