CVE-2025-66520 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Portfolio feature of Foxit Software Inc.'s cloud-based PDF Editor service (pdfonline.foxit.com). The vulnerability stems from improper neutralization of user-supplied SVG files, which are embedded into the HTML DOM without adequate sanitization or validation. SVG files can contain embedded HTML or JavaScript, and when malicious SVG content is uploaded and included in the Portfolio file list, the embedded scripts execute in the context of the victim's browser. This execution can lead to unauthorized actions such as stealing session cookies, performing actions on behalf of the user, or exfiltrating sensitive information. The vulnerability requires the attacker to have low privileges (PR:L) and user interaction (UI:R), such as convincing a user to view the malicious Portfolio list. The CVSS v3.1 score is 6.3, reflecting a medium severity with high confidentiality impact, low integrity impact, and no availability impact. The vulnerability affects all versions of the product before December 1, 2025. No public exploits are currently known, but the risk remains significant due to the nature of stored XSS and the cloud-based delivery model. The vulnerability highlights the importance of proper input validation and output encoding, especially for complex file types like SVG that can embed executable code.

For European organizations, this vulnerability poses a risk of sensitive data exposure and session hijacking through stored XSS attacks in a widely used cloud PDF editing platform. Attackers exploiting this flaw could gain access to confidential documents, user credentials, or internal communications if users interact with maliciously crafted Portfolio files. This could lead to data breaches, compliance violations (e.g., GDPR), and reputational damage. Since the vulnerability affects a cloud service, the attack surface includes any European entity using Foxit's online PDF tools, increasing the potential scope. The medium severity score suggests moderate urgency, but the high confidentiality impact means organizations handling sensitive or regulated data should prioritize remediation. Additionally, attackers might use this vector as a foothold for further attacks within corporate networks if users access the service from internal environments. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed.

1. Apply any available patches or updates from Foxit Software Inc. promptly once released to address this vulnerability. 2. Until patches are available, restrict or monitor the upload of SVG files within the Portfolio feature, possibly disabling SVG support if feasible. 3. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing the service. 4. Educate users about the risks of interacting with untrusted Portfolio files and encourage cautious behavior when opening files from unknown sources. 5. Employ web application firewalls (WAFs) with custom rules to detect and block malicious SVG payloads or suspicious script injections targeting the affected service. 6. Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 7. Coordinate with Foxit support to receive timely updates and guidance. 8. Consider isolating access to the cloud PDF editor from sensitive internal networks or using secure browser environments to reduce risk.