CVE-2025-66521 – A stored XSS vulnerability in Foxit PDF Online'... (How to Fix)

Q: What is the severity of CVE-2025-66521?

CVE-2025-66521 has a CVSS score of 6.3 (MEDIUM). A stored XSS vulnerability in Foxit PDF Online's Trusted Certificates feature allows attackers to inject malicious scripts into certificate names. When users view the Trusted Certificates page, the script executes automatically. This affects all users of pdfonline.foxit.com who access the Trusted Certificates feature.

📋 TL;DR

A stored XSS vulnerability in Foxit PDF Online's Trusted Certificates feature allows attackers to inject malicious scripts into certificate names. When users view the Trusted Certificates page, the script executes automatically. This affects all users of pdfonline.foxit.com who access the Trusted Certificates feature.

💻 Affected Systems

Products:

Foxit PDF Online (pdfonline.foxit.com)

Versions: All versions prior to patch

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the web interface at pdfonline.foxit.com, not desktop applications.

📦 What is this software?

Pdf Editor Cloud by Foxit

View all CVEs affecting Pdf Editor Cloud →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or install malware through drive-by downloads.

🟠

Likely Case

Session hijacking, credential theft, or defacement of the Trusted Certificates interface.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authentication to access Trusted Certificates feature for payload injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific version

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: No

Instructions:

1. Visit Foxit security bulletins page
2. Locate CVE-2025-66521 advisory
3. Follow vendor's patching instructions for PDF Online service

🔧 Temporary Workarounds

Disable Trusted Certificates Feature

all

Temporarily disable or restrict access to the Trusted Certificates management interface.

Implement WAF Rules

all

Add web application firewall rules to block XSS payloads in certificate name fields.

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers
Monitor and audit Trusted Certificates interface access

🔍 How to Verify

Check if Vulnerable:

Test by attempting to inject a simple XSS payload like <script>alert('test')</script> into a certificate name field.

Check Version:

Check web interface footer or about page for version information.

Verify Fix Applied:

Verify that injected scripts no longer execute when viewing the Trusted Certificates page.

📡 Detection & Monitoring

Log Indicators:

Unusual certificate name entries containing script tags or JavaScript code
Multiple failed attempts to access Trusted Certificates feature

Network Indicators:

HTTP requests containing script tags in POST data to certificate management endpoints

SIEM Query:

source="web_server" AND (uri="/trusted-certificates" OR uri="/certificates") AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-66521

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

CWE: CWE-79

EPSS Score: 0.02% exploit probability (5.3th percentile)

Published: December 19, 2025

Last Updated: December 23, 2025

🔗 References

https://www.foxit.com/support/security-bulletins.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66521, you might also want to check these: