How to fix EUVD-2015-9413?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

Is Realtyscript affected by EUVD-2015-9413?

CVE-2015-20116 presents moderate security risk, a cross-site scripting vulnerability rated CVSS 6.1. Attackers could inject scripts to steal sessions or perform actions as authenticated users. Proof-of-concept code is publicly available.

EUVD-2015-9413

| CVE-2015-20116 MEDIUM

2026-03-15 VulnCheck

6.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

PoC Detected

Mar 16, 2026 - 14:53 vuln.today

Public exploit code

EUVD ID Assigned

Mar 15, 2026 - 19:00 euvd

EUVD-2015-9413

Analysis Generated

Mar 15, 2026 - 19:00 vuln.today

CVE Published

Mar 15, 2026 - 18:34 nvd

MEDIUM 6.1

Description

Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize CSV file uploads, allowing attackers to inject malicious scripts through filename parameters in multipart form data. Attackers can upload files with XSS payloads in the filename field to execute arbitrary JavaScript in users' browsers when the file is processed or displayed.

Analysis

Stored cross-site scripting (XSS) vulnerability in Next Click Ventures RealtyScript 4.0.2 that allows unauthenticated attackers to inject malicious scripts through unsanitized CSV file upload filenames. When users process or view uploaded files, arbitrary JavaScript executes in their browsers with the ability to steal session cookies, modify page content, and perform actions on behalf of the victim. A public proof-of-concept exploit exists (Exploit-DB #38496), though no evidence of active KEV exploitation has been documented; the moderate CVSS score (6.1) reflects the requirement for user interaction to trigger the vulnerability.

Technical Context

The vulnerability stems from improper input validation in the file upload handler (CWE-79: Improper Neutralization of Input During Web Page Generation) within RealtyScript's CSV import functionality. The application fails to sanitize the 'filename' parameter in multipart form data before storing or rendering it in the application context. When the filename containing XSS payloads (e.g., '<img src=x onerror="alert(1)">') is subsequently displayed in file listings, download links, or processing status pages, the browser interprets and executes the embedded JavaScript. This is a stored XSS variant because the malicious payload persists in the application state and affects all users who access the file metadata. The CPE identifier (cpe:2.3:a:next_click_ventures:realtyscript:*:*:*:*:*:*:*:*) confirms the vulnerability affects RealtyScript across its product line; version 4.0.2 is specifically documented as vulnerable.

Affected Products

RealtyScript (['4.0.2'])

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +30

POC: +20

EUVD-2015-9413 vulnerability details – vuln.today

Back

EUVD-2015-9413

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

EUVD-2015-9413

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code