Summary: A cross-site scripting (XSS) vulnerability in the Krpano virtual tour framework has been exploited in a large-scale campaign, affecting over 350 websites and allowing malicious actors to manipulate search results and serve spam ads. Security researcher Oleg Zaytsev reported that this operation utilizes trusted domains to distribute ads for pornography, diet supplements, and fake news. The latest version of Krpano has addressed the security flaw to mitigate future risks.
Affected: Krpano framework users, over 350 websites including government sites, universities, and Fortune 500 companies
Keypoints :
- Malicious actors exploit a reflected XSS vulnerability in the Krpano framework to run ad campaigns using legitimate domains.
- The campaign, known as 360XSS, involved over 350 sites and employed search engine optimization poisoning techniques.
- Recent updates to the Krpano framework (version 1.22.4) have mitigated the XSS risks by eliminating support for external XML configuration.
Source: https://thehackernews.com/2025/02/hackers-exploited-krpano-framework-flaw.html