Stored XSS in Foxit PDF Editor Cloud Portfolio via crafted SVG upload

When a victim views/renders the Portfolio file list containing the malicious SVG entry, attacker-controlled script can execute in the context of the Foxit cloud web application. This can enable session/token theft, user impersonation/account takeover actions within the application, data access consistent with the victim’s privileges, and other browser-based post-exploitation (e.g., CSRF-like actions performed via same-origin script).

Until a full fix is deployed: disable SVG uploads/handling in the Portfolio feature (or treat SVG as a non-rendered download-only attachment), strip/neutralize SVG content at upload time, and apply a restrictive CSP (disallow inline script and restrict script-src to trusted origins) to limit exploitability. Monitor for suspicious SVG uploads and anomalous Portfolio rendering activity.

Implement robust server-side SVG sanitization/validation prior to storage and prior to insertion into any HTML/DOM context. Enforce an allowlist-based SVG sanitizer that removes scriptable elements/attributes (including but not limited to <script>, event handlers, foreignObject, external references) and rejects or converts SVG to a safe raster format when used for previews/icons. Additionally, ensure all user-controlled fields are contextually output-encoded and avoid inserting untrusted markup into the DOM. Deploy/strengthen CSP to reduce XSS impact.