CVE-2015-20118

Next Click Ventures RealtyScript 4.0.2 is affected by CVE-2015-20118, a stored cross-site scripting (XSS) vulnerability identified under CWE-79. The flaw resides in the location_name parameter within the admin locations interface, specifically at the locations.php endpoint. Attackers can inject JavaScript payloads via POST requests, which are stored and later rendered without proper sanitization, leading to arbitrary code execution in the browsers of authenticated administrators. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity due to its network accessibility, low attack complexity, and lack of prerequisites.

Unauthenticated attackers (PR:N) can exploit this vulnerability remotely by submitting malicious POST requests to locations.php with JavaScript in the location_name field. Once stored, the payload executes when administrators access the locations interface, potentially allowing theft of admin session cookies, keystroke logging, or redirection to phishing sites. The changed scope (S:C) reflects the impact crossing into the admin user's browser context, enabling limited confidentiality and integrity violations without availability disruption.

Advisories from referenced sources, including Exploit-DB (exploit 38496), VulnCheck, and Zero Science Labs (ZSL-2015-5269), document the vulnerability and provide proof-of-concept exploits demonstrating the stored XSS via the location_name parameter. No specific patches or mitigation steps are detailed in the provided descriptions, though upgrading to a non-vulnerable version of RealtyScript or implementing input sanitization on the backend is implied as standard remediation for XSS flaws.

A public exploit is available on Exploit-DB, indicating potential for real-world abuse against unpatched RealtyScript 4.0.2 deployments, particularly in real estate management environments. The CVE was published on 2026-03-16 despite the 2015-era vulnerability disclosure.