CVE-2015-20118
HIGHRealtyScript 4.0.2 Stored Cross-Site Scripting via location_name Parameter
Title source: cnaDescription
Next Click Ventures RealtyScript 4.0.2 contains a stored cross-site scripting vulnerability in the location_name parameter of the admin locations interface. Attackers can submit POST requests to the locations.php endpoint with JavaScript payloads in the location_name field to execute arbitrary code in administrator browsers.
Exploits (1)
References (3)
Core 3
Core References
Third Party Advisory third-party-advisory
Zero Science Lab Disclosure
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5269.php
Third Party Advisory third-party-advisory
VulnCheck Advisory: RealtyScript 4.0.2 Stored Cross-Site Scripting via location_name Parameter
https://www.vulncheck.com/advisories/realtyscript-stored-cross-site-scripting-via-location-name-parameter
Scores
CVSS v3
7.2
EPSS
0.0004
EPSS Percentile
11.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
Next Click Ventures/RealtyScript
4.0.2
nextclickventures/realtyscript
4.0.2
Published
Mar 16, 2026
Tracked Since
Mar 16, 2026