CVE-2015-20120

CVE-2015-20120 affects Next Click Ventures RealtyScript 4.0.2 and consists of multiple time-based blind SQL injection vulnerabilities (CWE-89). These flaws exist in application parameters, where attackers can inject SQL code to extract database information. The vulnerability enables inference of data through crafted requests using time-delay payloads, with responses revealing contents character by character based on timing differences. It carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).

Unauthenticated attackers can exploit these vulnerabilities remotely over the network with low attack complexity, requiring no privileges or user interaction. Exploitation involves sending specially crafted HTTP requests to affected parameters, observing response delays to exfiltrate sensitive database information such as credentials, user data, or configuration details. This results in high confidentiality impact by disclosing database contents and low integrity impact through potential minor data manipulation, while availability remains unaffected.

Advisories detailing the vulnerabilities and proof-of-concept exploits are available at https://www.exploit-db.com/exploits/38497, https://www.vulncheck.com/advisories/realtyscript-multiple-time-based-blind-sql-injection, and https://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5270.php. These resources provide further technical details on affected endpoints and exploitation techniques, though no vendor patches are referenced in the CVE publication dated 2026-03-16.