Description
Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize file uploads, allowing attackers to store malicious scripts through the file POST parameter in admin/tools.php. Attackers can upload files containing JavaScript code that executes in the context of admin/tools.php when accessed by other users.
Published: 2026-03-15
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Required
AI Analysis

Impact

The vulnerability originates from insufficient filtering of file upload inputs in the admin/tools.php interface of RealtyScript 4.0.2. Attackers can craft file POST requests that embed JavaScript, which is stored and later served within the context of the administrative tool page. This allows the execution of arbitrary client‑side code when other users visit the affected page, potentially compromising user credentials, session tokens, or sensitive data via classic XSS practices. The weakness is cataloged as CWE-79 – Improper Neutralization of Input during Web Page Generation.

Affected Systems

Only Next Click Ventures RealtyScript version 4.0.2 is impacted as identified by the vendor’s product listing and the CPE string available in the CVE entry. No other product variants or versions are indicated as affected.

Risk and Exploitability

The severity of the flaw is scored as moderate (CVSS 5.1) with a very low probability of exploitation (EPSS <1%). It is not listed in the CISA KEV catalog. Exploitation requires access to the file upload endpoint, which is typically restricted to administrators or users with upload privileges, and relies on other users subsequently accessing the stored file. Given the low exploit probability and moderate impact, audit and patching remain the primary defenses.

Generated by OpenCVE AI on March 19, 2026 at 16:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Next Click Ventures’ website or support portal for a patch or update that addresses the file upload filtering issue. If a patch is available, apply it to all affected RealtyScript 4.0.2 installations immediately. If no patch exists, disable the file upload functionality in admin/tools.php or restrict file upload permissions to a trusted set of users. Configure a Web Application Firewall or similar input validation layer to block script payloads before they reach the application. Consider upgrading to a newer, supported version of RealtyScript that resolves this XSS vulnerability.

Generated by OpenCVE AI on March 19, 2026 at 16:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Nextclickventures
Nextclickventures realtyscript
CPEs cpe:2.3:a:nextclickventures:realtyscript:4.0.2:*:*:*:*:*:*:*
Vendors & Products Nextclickventures
Nextclickventures realtyscript

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Next Click Ventures
Next Click Ventures realtyscript
Vendors & Products Next Click Ventures
Next Click Ventures realtyscript

Sun, 15 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize file uploads, allowing attackers to store malicious scripts through the file POST parameter in admin/tools.php. Attackers can upload files containing JavaScript code that executes in the context of admin/tools.php when accessed by other users.
Title RealtyScript 4.0.2 Stored Cross-Site Scripting via File Upload Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Next Click Ventures Realtyscript
Nextclickventures Realtyscript
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-16T14:30:31.420Z

Reserved: 2026-03-15T18:05:20.149Z

Link: CVE-2015-20115

cve-icon Vulnrichment

Updated: 2026-03-16T14:21:18.586Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:17:46.883

Modified: 2026-03-19T14:12:21.117

Link: CVE-2015-20115

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:31Z

Weaknesses