CVE-2025-8661 is a stored Cross-Site Scripting (XSS) vulnerability identified in Broadcom's Symantec PGP Encryption product, specifically affecting version 11.0.1. This vulnerability arises because the server fails to properly validate or encode user-supplied input before storing and subsequently rendering it in web pages. Stored XSS vulnerabilities allow an attacker to inject malicious scripts that are permanently stored on the target server and executed in the browsers of users who access the affected pages. The CVSS 4.0 base score is 4.6, indicating a medium severity level. The vector details show that the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L), but requires high privileges (PR:H) and user interaction (UI:A). The impact on confidentiality and integrity is low, with no impact on availability. The vulnerability does not require authentication (AT:N) but does require high privileges, suggesting exploitation might be limited to users with elevated access. No known exploits are currently in the wild, and no patches or mitigation links have been published yet. The vulnerability could be leveraged to execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or redirection to malicious sites, but the requirement for high privileges and user interaction limits the ease of exploitation. This vulnerability is significant in environments where Symantec PGP Encryption is used for securing communications and data, as it could undermine trust in the encryption management interface or related web components.

For European organizations, the impact of this vulnerability depends largely on the deployment scope of Symantec PGP Encryption version 11.0.1 within their infrastructure. Organizations relying on this product for encryption key management or secure communications could face risks of session hijacking or unauthorized actions performed via malicious scripts injected through the stored XSS. This could lead to unauthorized access to sensitive encrypted data or manipulation of encryption settings, potentially compromising data confidentiality and integrity. However, the requirement for high privileges and user interaction reduces the likelihood of widespread exploitation. Still, targeted attacks against high-value users such as system administrators or security personnel could have serious consequences. Given the regulatory environment in Europe, including GDPR, any compromise of encryption management systems could result in significant compliance and reputational damage. The lack of known exploits in the wild currently reduces immediate risk, but organizations should remain vigilant and prioritize remediation once patches become available.

1. Immediately review and restrict access privileges to the Symantec PGP Encryption management interfaces, ensuring only trusted administrators have high-level access. 2. Implement strict input validation and output encoding on all user input fields within the affected application to prevent injection of malicious scripts. 3. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing the application. 4. Monitor logs and user activity for unusual behavior that could indicate attempted exploitation of XSS vulnerabilities. 5. Educate privileged users about the risks of interacting with untrusted content or links while logged into the encryption management system. 6. Stay alert for official patches or updates from Broadcom and apply them promptly once released. 7. Consider deploying Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting the affected product. 8. Conduct regular security assessments and penetration testing focused on web application vulnerabilities within encryption management tools.