CVE-2015-20116 | THREATINT

Description

Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize CSV file uploads, allowing attackers to inject malicious scripts through filename parameters in multipart form data. Attackers can upload files with XSS payloads in the filename field to execute arbitrary JavaScript in users' browsers when the file is processed or displayed.

PUBLISHED Reserved 2026-03-15 | Published 2026-03-15 | Updated 2026-03-16 | Assigner VulnCheck

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

4.0.2

affected

References

www.exploit-db.com/exploits/38496 (ExploitDB-38496) exploit

www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5269.php (Zero Science Lab Disclosure) third-party-advisory

www.vulncheck.com/...-scripting-via-csv-file-upload-filename (VulnCheck Advisory: RealtyScript 4.0.2 Stored Cross-Site Scripting via CSV File Upload Filename) third-party-advisory

cve.org (CVE-2015-20116)

nvd.nist.gov (CVE-2015-20116)

Download JSON