CVE-2015-20119 MEDIUM

CVE-2015-20119: RealtyScript 4.0.2 Stored Cross-Site Scripting via text Parameter in pages.php

Vendor Next Click Ventures

Product RealtyScript

Weakness CWE-79 · XSS

Published March 15, 2026

Last update May 24, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

Description

Next Click Ventures RealtyScript 4.0.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious HTML and iframe elements through the text parameter in the pages.php admin interface. Attackers can submit POST requests to the add page action with crafted iframe payloads in the text parameter to store malicious content that executes in the browsers of users viewing the affected pages.

Key dates

Disclosure timeline

March 15, 2026 CVE published

May 24, 2026 Record updated