CVE-2015-20121

HighPublic PoC

Published: 16 March 2026

Published

16 March 2026

Modified

18 March 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0026 49.2th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Next Click Ventures RealtyScript 4.0.2 contains SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting arbitrary SQL code through the GET parameter 'u_id' in /admin/users.php and the POST parameter 'agent[]' in /admin/mailer.php. Attackers can exploit time-based…

blind SQL injection techniques to extract sensitive database information or cause denial of service through sleep-based payloads.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates SQL injection by requiring validation and sanitization of untrusted inputs like the 'u_id' GET parameter and 'agent[]' POST parameter before use in database queries.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, prioritization, and timely remediation of the specific SQL injection flaws in /admin/users.php and /admin/mailer.php.

SC-7 Boundary Protection partial match

prevent

Boundary protection with web application firewalls or proxies can inspect and block SQL injection payloads targeting the vulnerable admin endpoints.

Security SummaryAI

Next Click Ventures RealtyScript 4.0.2 is affected by SQL injection vulnerabilities (CWE-89) identified as CVE-2015-20121, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). These flaws allow attackers to inject arbitrary SQL code through the GET parameter 'u_id' in the /admin/users.php endpoint and the POST parameter 'agent[]' in the /admin/mailer.php endpoint, enabling manipulation of database queries.

Unauthenticated remote attackers can exploit these vulnerabilities over the network with low complexity and no user interaction required. Successful exploitation permits time-based blind SQL injection techniques to extract sensitive database information, such as user credentials or other confidential data, or to cause denial of service via sleep-based payloads that delay query execution.

Advisories detailing the vulnerabilities and proof-of-concept exploits are available from Zero Science Labs (ZSL-2015-5270), Exploit-DB (exploit 38497), and VulnCheck, which describe the injection points and potential impacts but do not specify patches or mitigations in the provided references.

Details

CWE(s): CWE-89

Affected Products

nextclickventures

realtyscript

4.0.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1212 Exploitation for Credential Access Credential Access

Adversaries may exploit software vulnerabilities in an attempt to collect credentials.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in unauthenticated public-facing web application enables exploitation of public-facing application (T1190), credential access via exploitation (T1212), and collection of data from databases (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5270.php
Exploit, Third Party Advisory · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/38497
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/realtyscript-sql-injection-via-u-id-and-agent-parameters
Third Party Advisory · disclosure@vulncheck.com