A security vulnerability in the Krpano framework, used for virtual tours, has been exploited in a campaign known as 360XSS. This attack affected over 350 websites, including government sites and major corporations, allowing adversaries to inject malicious scripts aimed at manipulation of search results and promoting spam advertisements. The exploitation occurs through a specially crafted URL parameter that executes a Base64-encoded payload in victims' browsers, utilizing a technique that leverages trusted domains for illicit purposes. This highlights significant security concerns surrounding widely used web frameworks.
This wasn't just a spam operation; it was an industrial-scale abuse of trusted domains.
The campaign, dubbed 360XSS, affected over 350 websites, including government portals and Fortune 500 companies.
Collection
[
|
...
]