CVE-2015-20119

Name of the Vulnerable Software and Affected Versions RealtyScript version 4.0.2

Description RealtyScript 4.0.2 contains a stored cross-site scripting issue that allows authenticated attackers to inject malicious HTML and iframe elements. Attackers can submit POST requests to the add page action with crafted iframe payloads in the text parameter within the pages.php admin interface. This allows the storage of malicious content that executes in the browsers of users viewing the affected pages. The vulnerable parameter is text.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize the text parameter in the pages.php file to prevent the injection of malicious HTML and iframe elements. Restrict access to the pages.php admin interface to authorized personnel only.