Cyber Resilience

CVE-2015-20115

MediumPublic PoC

Published: 16 March 2026

Published
16 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 10.9th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-20115 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Nextclickventures Realtyscript. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2015-20115 is a stored cross-site scripting (XSS) vulnerability (CWE-79) in Next Click Ventures RealtyScript 4.0.2. The issue stems from improper sanitization of file uploads via the "file" POST parameter in the admin/tools.php component. This allows attackers to upload files containing malicious JavaScript code, which is stored and executes in the context of admin/tools.php when accessed by other users. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By sending a crafted file upload request to admin/tools.php, they can store JavaScript payloads that trigger when administrators or other users visit the page, executing in the victim's browser context and potentially enabling actions like session theft or phishing within the changed security scope.

Advisories and resources, including those from VulnCheck, Zero Science Labs (ZSL-2015-5269), and Exploit-DB (exploit 38496), document the vulnerability and provide proof-of-concept details but do not specify patches or mitigations in the available CVE information.

A proof-of-concept exploit has been publicly available since at least 2015, as referenced in Exploit-DB. The CVE was formally published on 2026-03-16.

EU & UK References

Vulnerability details

Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize file uploads, allowing attackers to store malicious scripts through the file POST parameter in admin/tools.php. Attackers can upload files containing JavaScript code that executes in the context of admin/tools.php when accessed…

more

by other users.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1659 Content Injection Initial Access
Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic.
Why these techniques?

Stored XSS via unsanitized file upload directly enables exploitation of a public-facing web app (T1190) and injection of malicious content/scripts into pages viewed by victims (T1659).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2015-20118Same product: Nextclickventures Realtyscript
CVE-2015-20117Same product: Nextclickventures Realtyscript
CVE-2015-20120Same product: Nextclickventures Realtyscript
CVE-2015-20121Same product: Nextclickventures Realtyscript
CVE-2024-57428Shared CWE-79
CVE-2021-47873Shared CWE-79
CVE-2026-7052Shared CWE-79
CVE-2024-56060Shared CWE-79
CVE-2025-49043Shared CWE-79
CVE-2026-40038Shared CWE-79

Affected Assets

nextclickventures
realtyscript
4.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of all input, directly blocking unsanitized file uploads containing JavaScript via the file POST parameter.

preventdetect

Mandates malicious code scanning and blocking on uploaded content before storage or execution in admin/tools.php.

prevent

Enforces output filtering on responses from admin/tools.php to neutralize stored script payloads before browser execution.

References