EUVD-2015-9419CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
4Tags
Description
Next Click Ventures RealtyScript 4.0.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious HTML and iframe elements through the text parameter in the pages.php admin interface. Attackers can submit POST requests to the add page action with crafted iframe payloads in the text parameter to store malicious content that executes in the browsers of users viewing the affected pages.
Analysis
RealtyScript 4.0.2 contains a stored cross-site scripting (XSS) vulnerability in the pages.php admin interface that allows authenticated attackers to inject malicious HTML and iframe elements through the text parameter. Attackers can craft POST requests to store malicious content that executes in the browsers of users viewing affected pages. A public proof-of-concept exploit exists (Exploit-DB 38496), making this vulnerability actively exploitable by authenticated threat actors.
Technical Context
The vulnerability is a stored XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in RealtyScript, a PHP-based real estate management application. The root cause is insufficient input validation and output encoding of the 'text' parameter in the pages.php administrative interface. The application fails to sanitize HTML and iframe elements before storing user-supplied input in the backend database, and does not properly encode output when rendering stored content. This allows attackers to inject arbitrary JavaScript code and iframe elements that persist in the application database and execute in the context of other users' browsers with the same origin.
Affected Products
Next Click Ventures RealtyScript versions up to and including 4.0.2 (CPE: cpe:2.3:a:next_click_ventures:realtyscript:*:*:*:*:*:*:*:*). Specifically confirmed affected: RealtyScript 4.0.2 (per ENISA EUVD-2015-9419). The vulnerability is triggered through the pages.php administrative interface, indicating that admin users with page creation/editing privileges in RealtyScript installations are the attack vector. No vendor advisory links are present in provided references, suggesting this may be an unmaintained or legacy product.
Remediation
Immediate remediation steps: (1) Apply input validation and sanitization to the 'text' parameter in pages.php — use a whitelist approach to allow only safe HTML tags and attributes, or strip all HTML entirely if rich text is not required; (2) Implement proper output encoding using context-aware escaping (e.g., HTML entity encoding) when rendering stored content to prevent script execution; (3) Deploy a Content Security Policy (CSP) header to restrict inline script execution; (4) Upgrade to a patched version if available from Next Click Ventures (no specific patched version identified in references; contact vendor at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5269.php or https://www.vulncheck.com/advisories/realtyscript-stored-cross-site-scripting-via-text-parameter-in-pages-php for advisory details); (5) As a temporary workaround, restrict administrative access to trusted users only and conduct regular audits of stored page content for malicious payloads; (6) Consider migrating to actively maintained alternatives if vendor support is unavailable.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today