Hackers Exploited Krpano Framework Flaw to Inject Spam Ads on 350+ Websites

A cross-site scripting (XSS) vulnerability in the Krpano virtual tour framework was exploited by malicious actors to inject spam ads on over 350 websites. The campaign, dubbed 360XSS, leveraged a reflected XSS flaw to manipulate search results and fuel a spam ads campaign at scale. Following responsible disclosure, the latest release of Krpano mitigates the risk of XSS attacks.