CVE-2015-20113 in RealtyScript
Summary
by MITRE • 03/16/2026
Next Click Ventures RealtyScript 4.0.2 contains cross-site request forgery and persistent cross-site scripting vulnerabilities that allow attackers to perform administrative actions and inject malicious scripts. Attackers can craft malicious web pages that execute unauthorized actions when logged-in users visit them, or inject persistent scripts that execute in the application context.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability identified as CVE-2015-20113 affects Next Click Ventures RealtyScript version 4.0.2, a real estate management platform that exposes critical security flaws through cross-site request forgery and persistent cross-site scripting vulnerabilities. This vulnerability represents a significant threat to web application security and demonstrates the critical importance of proper input validation and request origin verification in web applications. The presence of both CSRF and XSS vulnerabilities in a single application creates a particularly dangerous attack surface that can be exploited to achieve comprehensive system compromise.
The technical flaw manifests through two distinct but complementary attack vectors that leverage fundamental web application security weaknesses. The cross-site request forgery vulnerability occurs when the application fails to properly validate the origin of HTTP requests, allowing attackers to craft malicious web pages that automatically submit requests to the target application on behalf of authenticated users. This weakness directly maps to CWE-352, which categorizes cross-site request forgery as a critical security vulnerability that undermines the principle of least privilege. The persistent cross-site scripting component enables attackers to inject malicious scripts into the application's database or configuration files, ensuring that these scripts execute whenever legitimate users interact with the vulnerable application. This persistent nature aligns with CWE-79, which defines cross-site scripting as a vulnerability where untrusted data is executed as code in the victim's browser.
The operational impact of this vulnerability extends far beyond simple data theft or defacement, as it provides attackers with the capability to perform administrative actions within the application context. When logged-in users visit malicious pages, the CSRF vulnerability allows unauthorized modifications to system configurations, user accounts, or property listings that could result in financial loss, data manipulation, or complete system compromise. The persistent XSS component creates a long-term threat where malicious scripts can steal session cookies, redirect users to phishing sites, or even establish backdoor access to the underlying system. This dual vulnerability creates a particularly dangerous scenario where attackers can initially gain unauthorized administrative access through CSRF and then establish persistent presence through XSS, enabling prolonged surveillance and data exfiltration.
Security professionals should consider this vulnerability in the context of the ATT&CK framework, where it maps to multiple techniques including T1566 for social engineering through malicious web content and T1059 for command and control through script injection. The vulnerability also aligns with the OWASP Top Ten 2017 category A03:2017 - Injection, as both CSRF and XSS represent injection flaws that can be exploited to execute unauthorized commands within the application environment. Organizations should implement comprehensive mitigation strategies that include proper request validation through anti-CSRF tokens, input sanitization for all user-supplied data, and regular security testing to identify similar vulnerabilities in their web applications. The vulnerability serves as a stark reminder of the critical need for security-by-design principles and the importance of maintaining up-to-date security patches in web applications.