The 360XSS campaign exploited a reflected XSS vulnerability (CVE-2020-24901) in the Krpano virtual tour framework to hijack search results and distribute spam ads across 350+ websites, including government, university, and news portals. The attack leveraged an insecure default configuration setting (passQueryParameter) to inject malicious XML, redirecting users to spam ads and manipulating search engine rankings through SEO poisoning. Cybersecurity researcher Oleg Zaytsev discovered the campaign when adult content appeared under a university’s domain, revealing widespread exploitation of Krpano-based sites. Despite Krpano releasing a patch, many affected sites remained unpatched due to challenges in vulnerability disclosure. Security experts warn that such attacks highlight the growing trend of exploiting web frameworks rather than deploying traditional malware, making them highly scalable and difficult to detect. Continue here.
