krpano Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in krpano versions prior to 1.23.2. This issue allows remote, unauthenticated attackers to execute arbitrary JavaScript in the context of the victim's browser. The vulnerability arises when the passQueryParameters function is used with the xml parameter enabled, allowing attackers to craft URLs that inject malicious scripts.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute JavaScript in the victim's browser session.

Reproduction

To reproduce this vulnerability, send a request to a krpano viewer with the xml parameter included in the URL query. Ensure that the passQueryParameters function is set to include the xml parameter. This will trigger the reflected XSS by executing any injected JavaScript in the victim's browser.

Remediation

Users are advised to update to krpano version 1.23.3, which addresses this vulnerability by fixing the XSS issue when the xml parameter is used with passQueryParameters.