CVE-2015-20118
Stored XSS in RealtyScript 4.0.2 Admin Location_name Parameter
Publication date: 2026-03-16
Last updated on: 2026-03-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextclickventures | realtyscript | 4.0.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2015-20118 is a stored cross-site scripting (XSS) vulnerability found in RealtyScript version 4.0.2. It exists in the location_name parameter of the admin locations interface. An attacker can exploit this by sending specially crafted POST requests to the locations.php endpoint, embedding malicious JavaScript code in the location_name field. When an administrator accesses this interface, the malicious code executes in their browser.
How can this vulnerability impact me? :
This vulnerability allows attackers to execute arbitrary JavaScript code in the browsers of administrators who access the affected interface. This can lead to unauthorized actions performed with administrator privileges, theft of sensitive information such as session tokens, or manipulation of the admin interface. The attack requires user interaction and low privileges to exploit, but it can compromise the security of the administrative environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for specially crafted POST requests sent to the locations.php endpoint containing suspicious JavaScript payloads in the location_name parameter.'}, {'type': 'paragraph', 'content': 'To detect such attempts, you can use network traffic inspection tools or web server logs to search for POST requests targeting locations.php with suspicious input.'}, {'type': 'list_item', 'content': 'Use command-line tools like curl or wget to simulate POST requests and verify if the location_name parameter is vulnerable.'}, {'type': 'list_item', 'content': 'Example command to test the vulnerability by sending a payload: curl -X POST -d "location_name=<script>alert(\'XSS\')</script>" http://yourserver/locations.php'}, {'type': 'list_item', 'content': 'Use grep or similar tools on web server logs to find POST requests to locations.php containing <script> tags or other suspicious JavaScript code.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the admin locations interface to trusted administrators only and monitoring for suspicious POST requests to locations.php.
Additionally, applying input validation and sanitization on the location_name parameter to neutralize any JavaScript code before it is stored or rendered can prevent exploitation.
If possible, update or patch RealtyScript to a version where this vulnerability is fixed.