CVE-2015-20117 MEDIUM

CVE-2015-20117: RealtyScript 4.0.2 Cross-Site Request Forgery Unauthorized User Creation

Vendor Next Click Ventures
Product RealtyScript
Weakness CWE-352 · CSRF
Published March 15, 2026
Last update March 16, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

What the vulnerability does

01Description

Next Click Ventures RealtyScript 4.0.2 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create unauthorized user accounts and administrative users by crafting malicious forms. Attackers can submit hidden form data to /admin/addusers.php and /admin/editadmins.php endpoints to register new users with arbitrary credentials and escalate privileges to SUPERUSER level.

Key dates

02Disclosure timeline

March 15, 2026 CVE published
March 16, 2026 Record updated