Full Report
The "360XSS" campaign is a widespread exploitation of a reflected cross-site scripting (XSS) vulnerability in the popular virtual tour framework Krpano, which allows external XML content to be injected via the xml query parameter. The vulnerability, known as CVE-2020-24901, st...
Analysis Summary
# Vulnerability: Widespread Reflected XSS in Krpano (CVE-2020-24901)
## CVE Details
- CVE ID: CVE-2020-24901
- CVSS Score: Not explicitly provided in the text, but exploitation severity suggests high impact. (Severity based on observed widespread exploitation and defacement/SEO manipulation)
- CWE: Cross-site Scripting (CWE-79)
## Affected Systems
- Products: Krpano virtual tour framework
- Versions: Versions where `passQueryParameters` setting was enabled by default (specific version range not provided, but publicly known vulnerability fixed).
- Configurations: Installations with `passQueryParameters` setting enabled.
## Vulnerability Description
The vulnerability resides in the Krpano framework, allowing external XML content to be injected into the virtual tour viewer via the `xml` query parameter when the `passQueryParameters` setting is enabled. This results in a Reflected Cross-Site Scripting (XSS) flaw. Threat actors injected malicious, Base64-encoded JavaScript via this parameter to execute arbitrary code in the context of the user's browser session.
## Exploitation
- Status: Exploited in the wild (Observed in the "360XSS" campaign affecting over 350 websites).
- Complexity: Low (Based on the simplicity of injecting content via a GET parameter).
- Attack Vector: Network (Via web request/URL manipulation).
## Impact
- Confidentiality: Potential for session hijacking or credential theft (depending on payload, though not the primary observed goal).
- Integrity: High (Observed impact includes Defacement and alteration of displayed content).
- Availability: Low (No direct denial of service mentioned).
## Remediation
### Patches
- **Note:** The article does not list the specific patch version, but implies that an update addressing the handling of the `xml` parameter and/or disabling `passQueryParameters` by default was released to resolve CVE-2020-24901.
### Workarounds
- Disable the potentially dangerous feature by ensuring the `passQueryParameters` setting is explicitly set to `false` in Krpano configurations.
- Implement strict input validation or sanitization on user-controlled parameters feeding into XML parsing, specifically the `xml` query parameter.
## Detection
- Indicators of Compromise (IoC): URLs containing the `xml=` query parameter that also contain high concentrations of encoded data (e.g., Base64 strings) or known script tags.
- Detection methods and tools: Web Application Firewalls (WAFs) monitoring incoming HTTP requests for anomalous characters or encoding schemes within query parameters targeting known vulnerable endpoints. Scanning logs for redirects or forced navigation to known spam/pornographic domains originating from viewer applications.
## References
- Vendor advisories: (Not explicitly detailed, standard practice requires checking the official Krpano security bulletin for CVE-2020-24901)
- Relevant links - defanged: https://olegzay.com/360xss/