Login Sign Up

CVE-2025-65892

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

This vulnerability allows remote unauthenticated attackers to execute arbitrary JavaScript in users' browsers by tricking them into clicking a malicious URL. It affects all krpano installations before version 1.23.2 where the xml parameter is enabled in passQueryParameters. Users visiting compromised krpano-based websites are at risk.

💻 Affected Systems

Products:
  • krpano
Versions: All versions before 1.23.2
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when xml parameter is enabled in passQueryParameters function. Many deployments may have this disabled by default.

📦 What is this software?

Krpano by Krpano

View all CVEs affecting Krpano →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, session hijacking, credential theft, and malware distribution to all users visiting the vulnerable site.

🟠

Likely Case

Session hijacking, credential theft from users who click malicious links, and defacement of vulnerable pages.

🟢

If Mitigated

Limited impact with proper Content Security Policy (CSP) headers and input validation, though XSS could still bypass some controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Reflected XSS vulnerabilities are commonly weaponized in phishing campaigns. No public exploit code found yet, but trivial to craft.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.23.2

Vendor Advisory: https://krpano.com/docu/releasenotes/?version=1.23.3

Restart Required: No

Instructions:

1. Download krpano version 1.23.2 or later from official website. 2. Replace existing krpano files with patched version. 3. Test functionality to ensure compatibility.

🔧 Temporary Workarounds

Disable xml parameter in passQueryParameters

all

Disable the vulnerable xml parameter in passQueryParameters configuration

Edit krpano configuration to set xml parameter to false in passQueryParameters

Implement Content Security Policy

all

Add CSP headers to restrict script execution

Add 'Content-Security-Policy: script-src 'self'' to HTTP headers

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to block XSS payloads in URLs
  • Disable passQueryParameters functionality entirely if not required

🔍 How to Verify

Check if Vulnerable:

Check if krpano version is below 1.23.2 and xml parameter is enabled in passQueryParameters

Check Version:

Check krpano.js file header or version.txt in krpano installation directory

Verify Fix Applied:

Verify krpano version is 1.23.2 or higher and test with XSS payloads in URL parameters

📡 Detection & Monitoring

Log Indicators:

  • URLs containing JavaScript payloads in query parameters
  • Multiple failed requests with script tags in parameters

Network Indicators:

  • HTTP requests with script tags or JavaScript in URL parameters to krpano endpoints

SIEM Query:

http.url:*krpano* AND (http.uri:*<script* OR http.uri:*javascript:* OR http.uri:*onerror=*)

📊 Metadata

CVE ID: CVE-2025-65892
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.04% exploit probability (11.1th percentile)
Published: November 29, 2025
Last Updated: December 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65892, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)