Cyber Resilience

CVE-2015-20118

MediumPublic PoC

Published: 16 March 2026

Published
16 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 14.2th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-20118 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Nextclickventures Realtyscript. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

Next Click Ventures RealtyScript 4.0.2 is affected by CVE-2015-20118, a stored cross-site scripting (XSS) vulnerability identified under CWE-79. The flaw resides in the location_name parameter within the admin locations interface, specifically at the locations.php endpoint. Attackers can inject JavaScript payloads via POST requests, which are stored and later rendered without proper sanitization, leading to arbitrary code execution in the browsers of authenticated administrators. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity due to its network accessibility, low attack complexity, and lack of prerequisites.

Unauthenticated attackers (PR:N) can exploit this vulnerability remotely by submitting malicious POST requests to locations.php with JavaScript in the location_name field. Once stored, the payload executes when administrators access the locations interface, potentially allowing theft of admin session cookies, keystroke logging, or redirection to phishing sites. The changed scope (S:C) reflects the impact crossing into the admin user's browser context, enabling limited confidentiality and integrity violations without availability disruption.

Advisories from referenced sources, including Exploit-DB (exploit 38496), VulnCheck, and Zero Science Labs (ZSL-2015-5269), document the vulnerability and provide proof-of-concept exploits demonstrating the stored XSS via the location_name parameter. No specific patches or mitigation steps are detailed in the provided descriptions, though upgrading to a non-vulnerable version of RealtyScript or implementing input sanitization on the backend is implied as standard remediation for XSS flaws.

A public exploit is available on Exploit-DB, indicating potential for real-world abuse against unpatched RealtyScript 4.0.2 deployments, particularly in real estate management environments. The CVE was published on 2026-03-16 despite the 2015-era vulnerability disclosure.

EU & UK References

Vulnerability details

Next Click Ventures RealtyScript 4.0.2 contains a stored cross-site scripting vulnerability in the location_name parameter of the admin locations interface. Attackers can submit POST requests to the locations.php endpoint with JavaScript payloads in the location_name field to execute arbitrary code…

more

in administrator browsers.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Stored XSS in public-facing web app directly enables remote exploitation (T1190) and facilitates browser session hijacking via cookie theft/JS execution in admin context (T1185).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2015-20115Same product: Nextclickventures Realtyscript
CVE-2015-20117Same product: Nextclickventures Realtyscript
CVE-2015-20120Same product: Nextclickventures Realtyscript
CVE-2015-20121Same product: Nextclickventures Realtyscript
CVE-2026-1843Shared CWE-79
CVE-2026-42678Shared CWE-79
CVE-2023-49186Shared CWE-79
CVE-2025-22586Shared CWE-79
CVE-2026-1316Shared CWE-79
CVE-2025-23451Shared CWE-79

Affected Assets

nextclickventures
realtyscript
4.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of the location_name input at locations.php to reject or sanitize JavaScript payloads before storage.

prevent

Requires filtering of stored location data on output so that malicious scripts are neutralized before rendering in administrator browsers.

preventdetect

Deploys malicious-code protections (e.g., WAF rules or content filters) that can block or alert on XSS payloads submitted to the admin interface.

References