CVE-2015-20118
Published: 16 March 2026
Summary
CVE-2015-20118 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Nextclickventures Realtyscript. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
Next Click Ventures RealtyScript 4.0.2 is affected by CVE-2015-20118, a stored cross-site scripting (XSS) vulnerability identified under CWE-79. The flaw resides in the location_name parameter within the admin locations interface, specifically at the locations.php endpoint. Attackers can inject JavaScript payloads via POST requests, which are stored and later rendered without proper sanitization, leading to arbitrary code execution in the browsers of authenticated administrators. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity due to its network accessibility, low attack complexity, and lack of prerequisites.
Unauthenticated attackers (PR:N) can exploit this vulnerability remotely by submitting malicious POST requests to locations.php with JavaScript in the location_name field. Once stored, the payload executes when administrators access the locations interface, potentially allowing theft of admin session cookies, keystroke logging, or redirection to phishing sites. The changed scope (S:C) reflects the impact crossing into the admin user's browser context, enabling limited confidentiality and integrity violations without availability disruption.
Advisories from referenced sources, including Exploit-DB (exploit 38496), VulnCheck, and Zero Science Labs (ZSL-2015-5269), document the vulnerability and provide proof-of-concept exploits demonstrating the stored XSS via the location_name parameter. No specific patches or mitigation steps are detailed in the provided descriptions, though upgrading to a non-vulnerable version of RealtyScript or implementing input sanitization on the backend is implied as standard remediation for XSS flaws.
A public exploit is available on Exploit-DB, indicating potential for real-world abuse against unpatched RealtyScript 4.0.2 deployments, particularly in real estate management environments. The CVE was published on 2026-03-16 despite the 2015-era vulnerability disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2015-9417
Vulnerability details
Next Click Ventures RealtyScript 4.0.2 contains a stored cross-site scripting vulnerability in the location_name parameter of the admin locations interface. Attackers can submit POST requests to the locations.php endpoint with JavaScript payloads in the location_name field to execute arbitrary code…
more
in administrator browsers.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing web app directly enables remote exploitation (T1190) and facilitates browser session hijacking via cookie theft/JS execution in admin context (T1185).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of the location_name input at locations.php to reject or sanitize JavaScript payloads before storage.
Requires filtering of stored location data on output so that malicious scripts are neutralized before rendering in administrator browsers.
Deploys malicious-code protections (e.g., WAF rules or content filters) that can block or alert on XSS payloads submitted to the admin interface.