EUVD-2015-9421

| CVE-2015-20120 HIGH
2026-03-15 VulnCheck
8.2
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
EUVD ID Assigned
Mar 15, 2026 - 20:00 euvd
EUVD-2015-9421
Analysis Generated
Mar 15, 2026 - 20:00 vuln.today
CVE Published
Mar 15, 2026 - 18:35 nvd
HIGH 8.2

Tags

SQLi Realtyscript

Description

Next Click Ventures RealtyScript 4.0.2 contains multiple time-based blind SQL injection vulnerabilities that allow unauthenticated attackers to extract database information by injecting SQL code into application parameters. Attackers can craft requests with time-delay payloads to infer database contents character by character based on response timing differences.

Analysis

Multiple time-based blind SQL injection vulnerabilities in RealtyScript 4.0.2 allow unauthenticated remote attackers to extract database information by injecting malicious SQL queries with time-delay payloads. Attackers can infer database contents character by character based on response timing differences. A public proof-of-concept exploit is available on Exploit-DB, significantly increasing the risk of exploitation.

Technical Context

The vulnerability affects Next Click Ventures RealtyScript version 4.0.2 (CPE: cpe:2.3:a:next_click_ventures:realtyscript:*:*:*:*:*:*:*:*), a real estate listing management application. As a CWE-89 (SQL Injection) vulnerability, it stems from improper neutralization of special elements used in SQL commands. The application fails to properly sanitize user input before incorporating it into SQL queries, allowing attackers to inject time-based SQL payloads (e.g., SLEEP() or WAITFOR DELAY) to extract data through inference based on response delays.

Affected Products

Next Click Ventures RealtyScript version 4.0.2 is confirmed vulnerable according to ENISA EUVD-2015-9421. The CPE string indicates all configurations of RealtyScript are potentially affected, though only version 4.0.2 is specifically confirmed. The vulnerability affects multiple application parameters that can be exploited without authentication.

Remediation

No patch information is available in the provided references. Organizations should immediately upgrade from RealtyScript 4.0.2 to the latest version if available. As interim mitigations: implement web application firewall (WAF) rules to detect SQL injection patterns, enable database query logging to detect exploitation attempts, and consider restricting network access to the application. Contact Next Click Ventures for patch availability. The vendor advisories at zeroscience.mk and vulncheck.com may contain additional remediation details.

Priority Score

61
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +41
POC: +20

Share

EUVD-2015-9421 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy