The "360XSS" campaign is a widespread exploitation of a reflected cross-site scripting (XSS) vulnerability in the popular virtual tour framework Krpano, which allows external XML content to be injected via the xml query parameter. The vulnerability, known as CVE-2020-24901, stems from the misuse of Krpano’s passQueryParameters setting, which was enabled by default in many installations. Threat actors exploited this flaw across over 350 high-traffic websites—including Yale, CNN, and geo.tv—by injecting malicious XML containing Base64-encoded JavaScript that redirected visitors to pornographic, casino, and spammy advertisement pages. In some cases, the attackers went further by embedding fake content directly on the legitimate domains without redirection, enhancing the campaign’s credibility and reach.
Rather than stealing data or launching destructive attacks, the adversaries focused on SEO poisoning—using the reflected XSS links to manipulate Google’s search results and rank their spam ads highly under trusted domains. These links appeared in search results for high-volume keywords and included fake reviews, stars, and unique titles to optimize visibility. The attackers utilized hijacked subdomains and misconfigured cloud-hosted resources to deliver their payloads, pointing to a well-organized and possibly monetized operation.