More than 350 websites have been compromised as part of the sweeping 360XSS spam ads attack campaign that involved the abuse of an old medium-severity reflected cross-site scripting vulnerability in the Krpano framework used to facilitate 360° image and video integration, reports The Hacker News.
Exploiting the reflected XSS flaw, tracked as CVE-2020-24901, allowed threat actors to inject malicious scripts displaying dubious ads on search results for government portals and state government sites, as well as websites belonging to news outlets, Fortune 500 firms, major U.S. universities, car dealerships, and leading hotel chains, according to an analysis from cybersecurity researcher Oleg Zaytsev.
"A reflected XSS is a fun vulnerability but on its own requires user interaction, and one of the biggest challenges is to make people click your reflected XSS link. So using search engines as a distribution platform for your XSS is a very creative and cool way to do it," said Zaytsev.
Organizations leveraging Krpano have been urged to install the latest update for the framework, which addresses a bypass to an earlier fix for the vulnerability.
