CVE-2015-20118
Awaiting Analysis Awaiting Analysis - Queue
Stored XSS in RealtyScript 4.0.2 Admin Location_name Parameter

Publication date: 2026-03-16

Last updated on: 2026-03-19

Assigner: VulnCheck

Description
Next Click Ventures RealtyScript 4.0.2 contains a stored cross-site scripting vulnerability in the location_name parameter of the admin locations interface. Attackers can submit POST requests to the locations.php endpoint with JavaScript payloads in the location_name field to execute arbitrary code in administrator browsers.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-14
NVD
CVE-2015-20118
EUVD
EUVD-2015-9417
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nextclickventures realtyscript 4.0.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2015-20118 is a stored cross-site scripting (XSS) vulnerability found in RealtyScript version 4.0.2. It exists in the location_name parameter of the admin locations interface. An attacker can exploit this by sending specially crafted POST requests to the locations.php endpoint, embedding malicious JavaScript code in the location_name field. When an administrator accesses this interface, the malicious code executes in their browser.

Impact Analysis

This vulnerability allows attackers to execute arbitrary JavaScript code in the browsers of administrators who access the affected interface. This can lead to unauthorized actions performed with administrator privileges, theft of sensitive information such as session tokens, or manipulation of the admin interface. The attack requires user interaction and low privileges to exploit, but it can compromise the security of the administrative environment.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for specially crafted POST requests sent to the locations.php endpoint containing suspicious JavaScript payloads in the location_name parameter.'}, {'type': 'paragraph', 'content': 'To detect such attempts, you can use network traffic inspection tools or web server logs to search for POST requests targeting locations.php with suspicious input.'}, {'type': 'list_item', 'content': 'Use command-line tools like curl or wget to simulate POST requests and verify if the location_name parameter is vulnerable.'}, {'type': 'list_item', 'content': 'Example command to test the vulnerability by sending a payload: curl -X POST -d "location_name=<script>alert(\'XSS\')</script>" http://yourserver/locations.php'}, {'type': 'list_item', 'content': 'Use grep or similar tools on web server logs to find POST requests to locations.php containing <script> tags or other suspicious JavaScript code.'}] [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the admin locations interface to trusted administrators only and monitoring for suspicious POST requests to locations.php.

Additionally, applying input validation and sanitization on the location_name parameter to neutralize any JavaScript code before it is stored or rendered can prevent exploitation.

If possible, update or patch RealtyScript to a version where this vulnerability is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2015-20118. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart