CVE-2015-20121

Name of the Vulnerable Software and Affected Versions RealtyScript version 4.0.2

Description RealtyScript 4.0.2 contains SQL injection flaws that allow unauthenticated attackers to manipulate database queries. This is achieved by injecting arbitrary SQL code through the GET parameter u id in the '/admin/users.php' endpoint and the POST parameter agent[] in the '/admin/mailer.php' endpoint. Attackers can exploit time-based blind SQL injection techniques to extract sensitive database information or cause a denial of service using sleep-based payloads.

Recommendations Update to a newer version that contains a fix for this vulnerability.