How serious is CVE-2015-20121?

This vulnerability has a CVSS score of 8.8 out of 10, classified as HIGH severity. Proof-of-concept exploit code is publicly available, making this an active threat.

Is there exploit code available for CVE-2015-20121?

Yes, proof-of-concept exploit code for CVE-2015-20121 is publicly available on GitHub and security research platforms. This increases the risk of active exploitation.

Which products are affected by CVE-2015-20121?

CVE-2015-20121 affects nextclickventures realtyscript. Check the full CVE details for specific version information.

How do I fix CVE-2015-20121?

To remediate CVE-2015-20121, check for security patches from nextclickventures. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2015-20121

High

|8.8

Exploit Available

Plain English Summary

AI-powered analysis for quick understanding

This vulnerability allows attackers to manipulate database queries and potentially access sensitive information by injecting malicious SQL code through specific web form inputs, without needing to log in. All an attacker needs is to send specially crafted requests to the affected URLs, making it relatively easy to exploit.

Technical Description

Next Click Ventures RealtyScript 4.0.2 contains SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting arbitrary SQL code through the GET parameter 'u_id' in /admin/users.php and the POST parameter 'agent[]' in /admin/mailer.php. Attackers can exploit time-based blind SQL injection techniques to extract sensitive database information or cause denial of service through sleep-based payloads.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

Confidentiality ImpactHigh

Integrity ImpactHigh

Availability ImpactHigh

ScopeChanged

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$4,789($1K-$5K)

Vendor Response

Grade APatched in 2 days

Quick Information

Published

Mar 16, 2026

22 days ago

Last Modified

Mar 18, 2026

20 days ago

Vendor

nextclickventures

Product

realtyscript

Related Vulnerabilities

CVE-2015-20120High

This vulnerability allows attackers to secretly access and extract sensitive information from the database of RealtyScript by sending specially crafted requests, even without logging in. They can do this by measuring how long it takes the system to respond, which reveals data one piece at a time.

CVE-2015-20119Medium

This vulnerability allows an attacker with a valid account to inject harmful HTML and iframe code into the RealtyScript admin interface, which can then execute in the browsers of users who visit affected pages. To exploit this, the attacker must submit a specially crafted request while logged in, enabling them to store and display malicious content to other users.

CVE-2015-20118Medium

This vulnerability allows an attacker to run malicious JavaScript code in the browsers of administrators by submitting specially crafted data through the admin locations interface. To exploit this, the attacker needs access to the locations.php endpoint and must input harmful scripts into the location_name field.

CVE-2015-20117Medium

This vulnerability allows attackers to create unauthorized user accounts, including administrative ones, by tricking users into submitting malicious forms. It requires no authentication, meaning anyone can exploit it simply by sending specially crafted requests to the system's user management endpoints.

CVE-2015-20116Medium

This vulnerability allows attackers to upload files with malicious scripts hidden in the filenames, which can then run harmful JavaScript in users' browsers when the files are viewed. It occurs because the system does not properly check or clean the filenames in the uploaded files, making it easy for attackers to exploit this weakness.