CVE-2019-16763

Name of the Vulnerable Software and Affected Versions Pannellum versions 2.5.0 through 2.5.5

Description The issue allows for potential Cross-Site Scripting (XSS) attacks due to insufficient sanitization of URLs for data URIs. An attack would require a user to click on a hot spot and would need an attacker-provided configuration. A plausible attack scenario involves hosting pannellum.htm on a domain that shares cookies with the targeted site's user authentication, allowing an attacker to embed an iframe on their site and potentially access information from the targeted site as the authenticated user if the user clicks on a hot spot in the attacker's embedded panorama viewer.

Recommendations For versions 2.5.0 through 2.5.5, upgrade to version 2.5.6 or later.