CVE-2025-66501
📋 TL;DR
A stored cross-site scripting vulnerability in Foxit eSign's pdfonline.foxit.com allows attackers to inject malicious scripts via the Identity 'First Name' field. When predefined text is used or document properties are viewed, the script executes in victims' browsers. This affects users of Foxit eSign's online platform who create or view documents with predefined text.
💻 Affected Systems
- Foxit eSign
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or install malware through drive-by downloads.
Likely Case
Session hijacking leading to unauthorized access to documents, credential theft, or defacement of document interfaces.
If Mitigated
Limited impact with proper input validation and output encoding; scripts would be sanitized before execution.
🎯 Exploit Status
Exploitation requires ability to create or modify predefined text fields, typically requiring some level of access to the eSign platform.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Foxit security bulletins for specific version
Vendor Advisory: https://www.foxit.com/support/security-bulletins.html
Restart Required: No
Instructions:
1. Visit Foxit security bulletins page
2. Identify patch for CVE-2025-66501
3. Apply update to Foxit eSign platform
4. Verify fix by testing predefined text functionality
🔧 Temporary Workarounds
Disable Predefined Text Feature
allTemporarily disable the Predefined Text functionality in Foxit eSign until patch is applied.
Input Validation Rules
allImplement server-side input validation to reject script tags and special characters in First Name field.
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Enable browser XSS protection headers and sanitize all user inputs server-side
🔍 How to Verify
Check if Vulnerable:
Test by entering <script>alert('XSS')</script> in First Name field of Predefined Text feature and check if script executes when viewing document properties.Check Version:
Check Foxit eSign version in platform settings or contact Foxit support.Verify Fix Applied:
Repeat vulnerability test; script should be sanitized and not execute. Check that special characters are properly encoded in output.📡 Detection & Monitoring
Log Indicators:
- Unusual length or special characters in First Name fields
- Multiple failed validation attempts on predefined text inputs
Network Indicators:
- Unexpected script tags in HTTP POST requests to eSign endpoints
- External script loads from document properties pages
SIEM Query:
source="foxit_esign" AND (http_method="POST" AND uri_path="*predefined*" AND (request_body="*<script>*" OR request_body="*javascript:*"))