CVE-2015-20121
Published: 16 March 2026
Summary
CVE-2015-20121 is a high-severity SQL Injection (CWE-89) vulnerability in Nextclickventures Realtyscript. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates SQL injection by requiring validation and sanitization of untrusted inputs like the 'u_id' GET parameter and 'agent[]' POST parameter before use in database queries.
Mandates identification, reporting, prioritization, and timely remediation of the specific SQL injection flaws in /admin/users.php and /admin/mailer.php.
Boundary protection with web application firewalls or proxies can inspect and block SQL injection payloads targeting the vulnerable admin endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public-facing web application enables exploitation of public-facing application (T1190), credential access via exploitation (T1212), and collection of data from databases (T1213.006).
NVD Description
Next Click Ventures RealtyScript 4.0.2 contains SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting arbitrary SQL code through the GET parameter 'u_id' in /admin/users.php and the POST parameter 'agent[]' in /admin/mailer.php. Attackers can exploit time-based…
more
blind SQL injection techniques to extract sensitive database information or cause denial of service through sleep-based payloads.
Deeper analysisAI
Next Click Ventures RealtyScript 4.0.2 is affected by SQL injection vulnerabilities (CWE-89) identified as CVE-2015-20121, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). These flaws allow attackers to inject arbitrary SQL code through the GET parameter 'u_id' in the /admin/users.php endpoint and the POST parameter 'agent[]' in the /admin/mailer.php endpoint, enabling manipulation of database queries.
Unauthenticated remote attackers can exploit these vulnerabilities over the network with low complexity and no user interaction required. Successful exploitation permits time-based blind SQL injection techniques to extract sensitive database information, such as user credentials or other confidential data, or to cause denial of service via sleep-based payloads that delay query execution.
Advisories detailing the vulnerabilities and proof-of-concept exploits are available from Zero Science Labs (ZSL-2015-5270), Exploit-DB (exploit 38497), and VulnCheck, which describe the injection points and potential impacts but do not specify patches or mitigations in the provided references.
Details
- CWE(s)