XSS vulnerability allowed a threat actor to redirect users to arbitrary domains.
February 27, 2025 By Eduard Kovacs
The websites of dozens of major private and government organizations have been abused in a massive spam campaign that involves exploitation of a vulnerability affecting widely used virtual tour software.
The attacks were observed recently by researcher Oleg Zaytsev who noticed that a Google search revealed what appeared to be adult content on the website of a major university in the US.
Additional analysis showed that the impacted website hosted a virtual tour powered by software made by Krpano. This software is affected by a reflected cross-site scripting (XSS) vulnerability that has been exploited to lead users to shady websites promoting adult content, diets, hacking services, and online casinos.
Krpano is a widely used framework for panoramic images, enabling the creation of virtual tours and VR environments.
