CVE-2025-66521 is a stored cross-site scripting (XSS) vulnerability identified in Foxit Software Inc.'s online PDF service, pdfonline.foxit.com, specifically within the Trusted Certificates feature. The vulnerability arises because the application improperly neutralizes input during web page generation (CWE-79). An attacker can inject a malicious script payload by submitting it as a certificate name. This payload is stored persistently and later rendered directly into the Document Object Model (DOM) without adequate sanitization or encoding. Consequently, whenever a user views the Trusted Certificates page, the malicious script executes in the context of their browser session. The vulnerability requires the attacker to have low privileges (PR:L) and user interaction (UI:R), such as tricking a user to view the compromised certificates page. The attack vector is network-based (AV:N), and the scope remains unchanged (S:U). The impact primarily affects confidentiality (C:H) by potentially exposing sensitive session data or credentials, with limited integrity impact (I:L) and no availability impact (A:N). No known exploits are currently reported in the wild, and the affected versions include all releases before December 1, 2025. The vulnerability highlights insufficient input validation and output encoding in a web application feature that handles user-supplied data, a common vector for XSS attacks. Given the persistent nature of stored XSS, this flaw can be exploited repeatedly once the malicious certificate name is stored. The lack of a patch link suggests that remediation is pending or in progress. Organizations relying on pdfonline.foxit.com should monitor for updates and consider interim mitigations.

For European organizations, this vulnerability poses a significant risk to user confidentiality and session integrity when using Foxit's online PDF services. Exploitation could lead to session hijacking, theft of authentication tokens, or execution of unauthorized actions on behalf of the user. This is particularly concerning for sectors handling sensitive documents such as finance, legal, healthcare, and government agencies. The stored nature of the XSS means that once a malicious certificate name is injected, all users accessing the Trusted Certificates view are exposed, amplifying the potential impact. Although the vulnerability does not affect system availability, the compromise of user credentials or sensitive data could lead to broader security incidents, including data breaches or lateral movement within networks. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments where users frequently access the affected feature. The medium CVSS score reflects a moderate but non-trivial threat that should be addressed promptly to prevent exploitation.

1. Apply official patches or updates from Foxit Software as soon as they become available to address the vulnerability directly. 2. Until patches are released, restrict access to the Trusted Certificates feature to trusted administrators only, minimizing exposure. 3. Implement strict input validation and sanitization on certificate name fields to prevent injection of malicious scripts. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser context. 5. Conduct regular security audits and penetration testing focusing on web application input handling and output encoding. 6. Educate users about the risks of interacting with untrusted or suspicious certificate entries. 7. Monitor web application logs for unusual certificate name submissions or access patterns to detect potential exploitation attempts. 8. Consider deploying web application firewalls (WAFs) with rules targeting XSS payloads specific to this context. 9. Review and limit user privileges to reduce the ability of low-privileged users to inject malicious content. 10. Maintain an incident response plan to quickly address any detected exploitation.