CVE-2015-20116

MEDIUM

RealtyScript 4.0.2 Stored Cross-Site Scripting via CSV File Upload Filename

Title source: cna

Description

Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize CSV file uploads, allowing attackers to inject malicious scripts through filename parameters in multipart form data. Attackers can upload files with XSS payloads in the filename field to execute arbitrary JavaScript in users' browsers when the file is processed or displayed.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappsphp

https://www.exploit-db.com/exploits/38496

View Code ZIP pw:eip

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-38496

https://www.exploit-db.com/exploits/38496

Third Party Advisory third-party-advisory

Zero Science Lab Disclosure

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5269.php

Third Party Advisory third-party-advisory

VulnCheck Advisory: RealtyScript 4.0.2 Stored Cross-Site Scripting via CSV File Upload Filename

https://www.vulncheck.com/advisories/realtyscript-stored-cross-site-scripting-via-csv-file-upload-filename

Scores

CVSS v3 6.1

EPSS 0.0004

EPSS Percentile 13.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

Next Click Ventures/RealtyScript 4.0.2

nextclickventures/realtyscript 4.0.2

Published Mar 16, 2026

Tracked Since Mar 16, 2026