CVE-2015-20115
Published: 16 March 2026
Summary
CVE-2015-20115 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Nextclickventures Realtyscript. Its CVSS base score is 7.2 (High).
Operationally, ranked at the 8.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
NVD Description
Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize file uploads, allowing attackers to store malicious scripts through the file POST parameter in admin/tools.php. Attackers can upload files containing JavaScript code that executes in the context of admin/tools.php when accessed…
more
by other users.
Deeper analysisAI
CVE-2015-20115 is a stored cross-site scripting (XSS) vulnerability (CWE-79) in Next Click Ventures RealtyScript 4.0.2. The issue stems from improper sanitization of file uploads via the "file" POST parameter in the admin/tools.php component. This allows attackers to upload files containing malicious JavaScript code, which is stored and executes in the context of admin/tools.php when accessed by other users. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By sending a crafted file upload request to admin/tools.php, they can store JavaScript payloads that trigger when administrators or other users visit the page, executing in the victim's browser context and potentially enabling actions like session theft or phishing within the changed security scope.
Advisories and resources, including those from VulnCheck, Zero Science Labs (ZSL-2015-5269), and Exploit-DB (exploit 38496), document the vulnerability and provide proof-of-concept details but do not specify patches or mitigations in the available CVE information.
A proof-of-concept exploit has been publicly available since at least 2015, as referenced in Exploit-DB. The CVE was formally published on 2026-03-16.
Details
- CWE(s)