CVE-2015-20121

HIGH8.8

RealtyScript 4.0.2 SQL Injection via u_id and agent Parameters

Published Mar 15, 2026

Modified Yesterday

Details

Next Click Ventures RealtyScript 4.0.2 contains SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting arbitrary SQL code through the GET parameter 'u_id' in /admin/users.php and the POST parameter 'agent[]' in /admin/mailer.php. Attackers can exploit time-based blind SQL injection techniques to extract sensitive database information or cause denial of service through sleep-based payloads.

References

ADVISORY

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5270.php

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2015-20121

DETECTION

https://www.exploit-db.com/exploits/38497

ADVISORY

https://www.vulncheck.com/advisories/realtyscript-sql-injection-via-u-id-and-agent-parameters

CVSS Analysis

CVSS v4.0

8.8