Visvge

**Name of the Vulnerable Software and Affected Versions** Pannellum versions 2.5.6 through 3.5.0 **Description** Pannellum, a lightweight panorama viewer for the web, has an issue where the hot spot attributes configuration property allows setting any attribute, including HTML event handler attributes. This can lead to potential cross-site scripting (XSS) attacks. This impacts websites hosting the standalone viewer HTML file and any use of untrusted JSON config files, bypassing the `escapeHTML` parameter's protections. Certain events trigger without user interaction, meaning visiting a URL pointing to a malicious config file can execute arbitrary JavaScript code, potentially replacing page content. Reports indicate this issue is actively exploited for cryptocurrency-related phishing attempts. The `attributes` property is the source of the issue. **Recommendations** Pannellum versions 2.5.6 through 3.5.0 should be updated to version 2.5.7 or later. As a workaround, set the Content-Security-Policy header to `script-src-attr 'none'` to block execution of inline event handlers. Do not host `pannellum.htm` on a domain that shares cookies with user authentication to reduce the risk of XSS.