CVE-2015-20121
Published: 16 March 2026
Summary
CVE-2015-20121 is a high-severity SQL Injection (CWE-89) vulnerability in Nextclickventures Realtyscript. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Next Click Ventures RealtyScript 4.0.2 is affected by SQL injection vulnerabilities (CWE-89) identified as CVE-2015-20121, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). These flaws allow attackers to inject arbitrary SQL code through the GET parameter 'u_id' in the /admin/users.php endpoint and the POST parameter 'agent[]' in the /admin/mailer.php endpoint, enabling manipulation of database queries.
Unauthenticated remote attackers can exploit these vulnerabilities over the network with low complexity and no user interaction required. Successful exploitation permits time-based blind SQL injection techniques to extract sensitive database information, such as user credentials or other confidential data, or to cause denial of service via sleep-based payloads that delay query execution.
Advisories detailing the vulnerabilities and proof-of-concept exploits are available from Zero Science Labs (ZSL-2015-5270), Exploit-DB (exploit 38497), and VulnCheck, which describe the injection points and potential impacts but do not specify patches or mitigations in the provided references.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2015-9423
Vulnerability details
Next Click Ventures RealtyScript 4.0.2 contains SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting arbitrary SQL code through the GET parameter 'u_id' in /admin/users.php and the POST parameter 'agent[]' in /admin/mailer.php. Attackers can exploit time-based…
more
blind SQL injection techniques to extract sensitive database information or cause denial of service through sleep-based payloads.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public-facing web application enables exploitation of public-facing application (T1190), credential access via exploitation (T1212), and collection of data from databases (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates SQL injection by requiring validation and sanitization of untrusted inputs like the 'u_id' GET parameter and 'agent[]' POST parameter before use in database queries.
Mandates identification, reporting, prioritization, and timely remediation of the specific SQL injection flaws in /admin/users.php and /admin/mailer.php.
Boundary protection with web application firewalls or proxies can inspect and block SQL injection payloads targeting the vulnerable admin endpoints.