CVE-2015-20115
Published: 16 March 2026
Summary
CVE-2015-20115 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Nextclickventures Realtyscript. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2015-20115 is a stored cross-site scripting (XSS) vulnerability (CWE-79) in Next Click Ventures RealtyScript 4.0.2. The issue stems from improper sanitization of file uploads via the "file" POST parameter in the admin/tools.php component. This allows attackers to upload files containing malicious JavaScript code, which is stored and executes in the context of admin/tools.php when accessed by other users. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By sending a crafted file upload request to admin/tools.php, they can store JavaScript payloads that trigger when administrators or other users visit the page, executing in the victim's browser context and potentially enabling actions like session theft or phishing within the changed security scope.
Advisories and resources, including those from VulnCheck, Zero Science Labs (ZSL-2015-5269), and Exploit-DB (exploit 38496), document the vulnerability and provide proof-of-concept details but do not specify patches or mitigations in the available CVE information.
A proof-of-concept exploit has been publicly available since at least 2015, as referenced in Exploit-DB. The CVE was formally published on 2026-03-16.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2015-9411
Vulnerability details
Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize file uploads, allowing attackers to store malicious scripts through the file POST parameter in admin/tools.php. Attackers can upload files containing JavaScript code that executes in the context of admin/tools.php when accessed…
more
by other users.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS via unsanitized file upload directly enables exploitation of a public-facing web app (T1190) and injection of malicious content/scripts into pages viewed by victims (T1659).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of all input, directly blocking unsanitized file uploads containing JavaScript via the file POST parameter.
Mandates malicious code scanning and blocking on uploaded content before storage or execution in admin/tools.php.
Enforces output filtering on responses from admin/tools.php to neutralize stored script payloads before browser execution.