EUVD-2015-9423

| CVE-2015-20121 HIGH
2026-03-15 VulnCheck
8.2
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
PoC Detected
Mar 18, 2026 - 15:24 vuln.today
Public exploit code
EUVD ID Assigned
Mar 15, 2026 - 20:00 euvd
EUVD-2015-9423
Analysis Generated
Mar 15, 2026 - 20:00 vuln.today
CVE Published
Mar 15, 2026 - 18:34 nvd
HIGH 8.2

Tags

Denial Of Service SQLi PHP Realtyscripts

Description

Next Click Ventures RealtyScript 4.0.2 contains SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting arbitrary SQL code through the GET parameter 'u_id' in /admin/users.php and the POST parameter 'agent[]' in /admin/mailer.php. Attackers can exploit time-based blind SQL injection techniques to extract sensitive database information or cause denial of service through sleep-based payloads.

Analysis

SQL injection vulnerabilities in RealtyScript 4.0.2 allow unauthenticated remote attackers to manipulate database queries through vulnerable parameters in admin panel files (/admin/users.php and /admin/mailer.php). Attackers can extract sensitive database information using time-based blind SQL injection or cause denial of service. A public proof-of-concept exploit is available on Exploit-DB, though the vulnerability is not currently in CISA's KEV catalog.

Technical Context

RealtyScript (CPE: cpe:2.3:a:next_click_ventures:realtyscripts:*:*:*:*:*:*:*:*) is a PHP-based real estate listing management system. The vulnerability stems from improper input validation (CWE-89: SQL Injection) where user-supplied data in the 'u_id' GET parameter and 'agent[]' POST parameter is directly concatenated into SQL queries without sanitization. This allows injection of arbitrary SQL commands, including time-based payloads using SLEEP() functions for blind extraction of data.

Affected Products

Next Click Ventures RealtyScript version 4.0.2 is confirmed vulnerable. The CPE notation (cpe:2.3:a:next_click_ventures:realtyscripts:*:*:*:*:*:*:*:*) suggests all versions may be affected, though only 4.0.2 is explicitly confirmed in the EUVD data. The vulnerability affects PHP-based installations with accessible /admin/ directories.

Remediation

No patch information is available in the provided references. Given the 2015 disclosure date and apparent lack of vendor response, organizations should consider RealtyScript 4.0.2 as end-of-life. Recommended mitigations include: 1) Migrate to a supported real estate management system, 2) If migration is not immediately possible, implement web application firewall rules to filter SQL injection attempts, 3) Restrict access to /admin/ directories through IP whitelisting or additional authentication layers, 4) Apply input validation and parameterized queries if source code modification is possible.

Priority Score

61
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +41
POC: +20

Share

EUVD-2015-9423 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy