The Foxit PDF Editor cloud is a web-based application that allows users to edit and share PDF files. The vulnerability exists in the Portfolio feature of the Foxit PDF Editor cloud, which allows users to upload and display SVG files. However, the vulnerability allows an attacker to inject malicious HTML or JavaScript code into the Portfolio file list, potentially leading to cross-site scripting (XSS) attacks.
You're affected if you use the Foxit PDF Editor cloud version 3.2.0 or later. To check if your instance is vulnerable, run the following command:
find / -name "foxit-pdfecloud.jar" 2>/dev/null
Note: This vulnerability does not affect the desktop application.
To fix this vulnerability, upgrade to Foxit PDF Editor cloud version 3.2.1 or later. Alternatively, apply immediate mitigations:
You can download the patched version from the Foxit website: https://www.foxit.com/support/security-bulletins.html.