CVE-2015-20117
CSRF in RealtyScript 4.0.2 Enables Admin Account Creation
Publication date: 2026-03-16
Last updated on: 2026-03-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextclickventures | realtyscript | 4.0.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2015-20117 is a Cross-Site Request Forgery (CSRF) vulnerability in RealtyScript version 4.0.2. It allows unauthenticated attackers to create unauthorized user accounts, including administrative users with SUPERUSER privileges. Attackers achieve this by crafting malicious forms that submit hidden data to specific endpoints, namely /admin/addusers.php and /admin/editadmins.php, thereby registering new users with arbitrary credentials and escalating their privileges.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to create unauthorized user accounts without any authentication or user interaction. They can escalate these accounts to administrative SUPERUSER level, potentially compromising the integrity of your system. Although the confidentiality and availability impacts are limited, the integrity of your user management and administrative controls can be severely affected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized or suspicious HTTP POST requests to the endpoints /admin/addusers.php and /admin/editadmins.php. Specifically, look for requests that include form data attempting to create new user accounts or escalate privileges.'}, {'type': 'paragraph', 'content': 'Network traffic analysis tools or web server logs can be used to identify such requests.'}, {'type': 'list_item', 'content': 'Use tools like curl or wget to simulate or detect suspicious POST requests.'}, {'type': 'list_item', 'content': 'Example command to check for suspicious POST requests in web server logs (assuming Apache logs):'}, {'type': 'list_item', 'content': "grep -i 'POST /admin/addusers.php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -i 'POST /admin/editadmins.php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Use a packet capture tool like tcpdump or Wireshark to filter HTTP POST requests to these endpoints.'}, {'type': 'list_item', 'content': 'Example tcpdump command:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i '/admin/addusers.php\\|/admin/editadmins.php'"}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing CSRF protection mechanisms such as requiring CSRF tokens on sensitive forms, especially those at /admin/addusers.php and /admin/editadmins.php.
Restrict access to these administrative endpoints to trusted IP addresses or authenticated users only.
Apply web application firewall (WAF) rules to detect and block suspicious POST requests targeting these endpoints.
If possible, update or patch RealtyScript to a version that addresses this vulnerability.
Monitor logs and network traffic for signs of exploitation attempts and revoke any unauthorized accounts immediately.