Description
Next Click Ventures RealtyScript 4.0.2 contains cross-site request forgery and persistent cross-site scripting vulnerabilities that allow attackers to perform administrative actions and inject malicious scripts. Attackers can craft malicious web pages that execute unauthorized actions when logged-in users visit them, or inject persistent scripts that execute in the application context.
Published: 2026-03-15
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑Side Cross‑Site Scripting and Unauthorized Administrative Actions via CSRF
Action: Patch or Mitigate
AI Analysis

Impact

Next Click Ventures RealtyScript 4.0.2 contains two critical vulnerabilities: a persistent cross‑site scripting (XSS) flaw that allows an attacker to inject and execute JavaScript in the context of the application, and a cross‑site request forgery (CSRF) flaw that lets an attacker cause an authenticated user to perform privileged administrative actions without their consent. The XSS flaw may enable session hijacking, phishing, or the execution of client‑side code that can exfiltrate data, while the CSRF flaw bypasses any user‑initiated confirmation and can result in data modification, deletion, or escalation of privileges within the application.

Affected Systems

Only Next Click Ventures RealtyScript 4.0.2 is affected. Explicit CPE data confirms the product and version: cpe:2.3:a:nextclickventures:realtyscript:4.0.2:*:*:*:*:*:*.*. No other versions or vendors are listed in the provided information.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity. An EPSS score of less than 1 % suggests a low likelihood of current exploitation, and the vulnerability is not listed in the CISA KEV catalog, implying no widely‑publicized exploits. Exploitation requires an attacker to supply a malicious web page that a logged‑in user will visit or to craft a forged request that the application will accept, and thus hinges on a web‑based attack vector. The weakness is discovered via client‑side manipulation rather than server‑side code execution.

Generated by OpenCVE AI on March 19, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Next Click Ventures’ website or support portal for a vendor patch or newer version of RealtyScript that addresses the XSS and CSRF flaws.
  • If a patch is not available, immediately disable or limit administrative functions for users of version 4.0.2 and consider removing or sanitizing affected scripts until a fix is deployed.
  • Deploy a web application firewall (WAF) or intrusion‑prevention system that blocks CSRF tokens and filters out malicious JavaScript payloads.
  • Ensure that all users are notified to avoid visiting untrusted sites while logged into the application until the issue is resolved.

Generated by OpenCVE AI on March 19, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Nextclickventures
Nextclickventures realtyscript
CPEs cpe:2.3:a:nextclickventures:realtyscript:4.0.2:*:*:*:*:*:*:*
Vendors & Products Nextclickventures
Nextclickventures realtyscript

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Next Click Ventuers
Next Click Ventuers realtyscript
Vendors & Products Next Click Ventuers
Next Click Ventuers realtyscript

Sun, 15 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Next Click Ventures RealtyScript 4.0.2 contains cross-site request forgery and persistent cross-site scripting vulnerabilities that allow attackers to perform administrative actions and inject malicious scripts. Attackers can craft malicious web pages that execute unauthorized actions when logged-in users visit them, or inject persistent scripts that execute in the application context.
Title RealtyScript 4.0.2 Multiple Cross-Site Request Forgery and Persistent Cross-Site Scripting Vulnerabilities
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Next Click Ventuers Realtyscript
Nextclickventures Realtyscript
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-16T14:20:18.451Z

Reserved: 2026-03-15T18:04:37.980Z

Link: CVE-2015-20113

cve-icon Vulnrichment

Updated: 2026-03-16T14:17:21.685Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:17:46.370

Modified: 2026-03-19T13:58:25.190

Link: CVE-2015-20113

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:33Z

Weaknesses