SCA: security update for pannellum (GHSA-m52x-29pq-w3vv)

medium Tenable Self-Hosted Container Security Plugin ID 423326

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In Pannellum from 2.5.0 through 2.5.4 URLs were not sanitized for data URIs (or vbscript:), allowing for
potential XSS attacks. Such an attack would require a user to click on a hot spot to execute and would
require an attacker-provided configuration. The most plausible potential attack would be if pannellum.htm
was hosted on a domain that shared cookies with the targeted site's user authentication; an <iframe>
could then be embedded on the attacker's site using pannellum.htm from the targeted site, which would
allow the attacker to potentially access information from the targeted site as the authenticated user (or
worse if the targeted site did not have adequate CSRF protections) if the user clicked on a hot spot in
the attacker's embedded panorama viewer. This was patched in version 2.5.5. (CVE-2019-16763)

See Also

https://github.com/advisories/GHSA-m52x-29pq-w3vv

Plugin Details

Severity: Medium

ID: 423326

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 3/29/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 8.67

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2019-16763

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 11/22/2019

Vulnerability Publication Date: 11/22/2019

Reference Information

CVE: CVE-2019-16763

cwe: CWE-79