Pannellum
Monthly
Pannellum 2.5.0 through 2.5.6 allows arbitrary JavaScript execution through improperly sanitized hotspot configuration attributes in JSON files, enabling stored XSS attacks against users viewing panorama viewers with malicious configurations. An attacker can craft a malicious config file that executes code automatically upon page load without user interaction, potentially allowing page defacement or credential theft. A patch is available to address this vulnerability.
Pannellum 2.5.0 through 2.5.6 allows arbitrary JavaScript execution through improperly sanitized hotspot configuration attributes in JSON files, enabling stored XSS attacks against users viewing panorama viewers with malicious configurations. An attacker can craft a malicious config file that executes code automatically upon page load without user interaction, potentially allowing page defacement or credential theft. A patch is available to address this vulnerability.