How serious is CVE-2015-20114?

This vulnerability has a CVSS score of 5.1 out of 10, classified as MEDIUM severity. Proof-of-concept exploit code is publicly available, making this an active threat.

Is there exploit code available for CVE-2015-20114?

Yes, proof-of-concept exploit code for CVE-2015-20114 is publicly available on GitHub and security research platforms. This increases the risk of active exploitation.

Which products are affected by CVE-2015-20114?

CVE-2015-20114 affects nextclickventures realtyscript. Check the full CVE details for specific version information.

How do I fix CVE-2015-20114?

To remediate CVE-2015-20114, check for security patches from nextclickventures. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2015-20114

Medium

|5.1

Exploit Available

Plain English Summary

AI-powered analysis for quick understanding

This vulnerability allows attackers to run harmful scripts in users' web browsers when they interact with the affected RealtyScript application. It occurs because the application fails to properly clean user input, enabling attackers to send specially crafted requests that include their malicious code.

Technical Description

Next Click Ventures RealtyScript 4.0.2 contains a cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious input through multiple parameters that are not properly sanitized. Attackers can craft requests with injected script payloads in vulnerable parameters to execute code in users' browser sessions within the context of the affected application.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionRequired

Confidentiality ImpactHigh

Integrity ImpactHigh

Availability ImpactHigh

ScopeChanged

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$690($500-$1K)

Vendor Response

Grade APatched in 2 days

Quick Information

Published

Mar 16, 2026

22 days ago

Last Modified

Mar 19, 2026

19 days ago

Vendor

nextclickventures

Product

realtyscript

Related Vulnerabilities

CVE-2015-20121High

This vulnerability allows attackers to manipulate database queries and potentially access sensitive information by injecting malicious SQL code through specific web form inputs, without needing to log in. All an attacker needs is to send specially crafted requests to the affected URLs, making it relatively easy to exploit.

CVE-2015-20120High

This vulnerability allows attackers to secretly access and extract sensitive information from the database of RealtyScript by sending specially crafted requests, even without logging in. They can do this by measuring how long it takes the system to respond, which reveals data one piece at a time.

CVE-2015-20119Medium

This vulnerability allows an attacker with a valid account to inject harmful HTML and iframe code into the RealtyScript admin interface, which can then execute in the browsers of users who visit affected pages. To exploit this, the attacker must submit a specially crafted request while logged in, enabling them to store and display malicious content to other users.

CVE-2015-20118Medium

This vulnerability allows an attacker to run malicious JavaScript code in the browsers of administrators by submitting specially crafted data through the admin locations interface. To exploit this, the attacker needs access to the locations.php endpoint and must input harmful scripts into the location_name field.

CVE-2015-20117Medium

This vulnerability allows attackers to create unauthorized user accounts, including administrative ones, by tricking users into submitting malicious forms. It requires no authentication, meaning anyone can exploit it simply by sending specially crafted requests to the system's user management endpoints.