low
1.8
CWE
79 94
Advisory Published
Advisory Published
Updated

CVE-2025-30166: Pimcore's Admin Classic Bundle allows HTML Injection

First published: Tue Apr 08 2025(Updated: )

### Summary An HTML injection issue allows users with access to the email sending functionality to inject arbitrary HTML code into emails sent via the admin interface, potentially leading to session cookie theft and the alteration of page content. ### Details The vulnerability was discovered in the `/admin/email/send-test-email` endpoint using the `POST` method. The vulnerable parameter is `content`, which permits the injection of arbitrary HTML code during the email sending process. While JavaScript code injection is blocked through filtering, HTML code injection remains possible. ### PoC To reproduce the vulnerability, a user must fill out the email's content form with the desired HTML payload. ![send-test-mail-text](https://github.com/user-attachments/assets/0e02b004-ce88-4018-b7cb-ae15a8ec2300) ### Impact ![mail-text](https://github.com/user-attachments/assets/67080d10-0cef-4f65-a157-4f012203f0a3) This HTML injection vulnerability can potentially enable phishing attacks by allowing the insertion of any html like fake login forms, etc. All functionalities that process user input should be carefully reviewed to ensure that data is appropriately encoded as HTML entities in server responses. For instance, a reflected input paramete like `<h1> just a test </h1> <p> <img>` should be displayed in the HTML response as `&#x3c;h1&#x3e; just a test &#x3c;/h1&#x3e; &#x3c;p&#x3e; &#x3c;img&#x3e;`.

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Pimcore AdminBundle<1.7.6
composer/pimcore/admin-ui-classic-bundle<1.7.6
1.7.6

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2025-30166?

    The severity of CVE-2025-30166 is rated as high due to the potential for HTML injection leading to session cookie theft.

  • How do I fix CVE-2025-30166?

    To fix CVE-2025-30166, upgrade the Pimcore Admin Classic Bundle to version 1.7.6 or later.

  • Who is affected by CVE-2025-30166?

    Users of Pimcore Admin Classic Bundle versions prior to 1.7.6 may be affected by CVE-2025-30166.

  • What is the main impact of CVE-2025-30166?

    The main impact of CVE-2025-30166 is the ability for attackers to inject arbitrary HTML into emails, which may lead to phishing attacks.

  • How does CVE-2025-30166 affect email functionalities?

    CVE-2025-30166 affects email functionalities by allowing unauthorized HTML code injection, compromising the integrity of communications.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203