CVE-2025-30166: Pimcore's Admin Classic Bundle allows HTML Injection

1.8 CVSS

Description

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. An HTML injection issue allows users with access to the email sending functionality to inject arbitrary HTML code into emails sent via the admin interface, potentially leading to session cookie theft and the alteration of page content. The vulnerability was discovered in the /admin/email/send-test-email endpoint using the POST method. The vulnerable parameter is content, which permits the injection of arbitrary HTML code during the email sending process. While JavaScript code injection is blocked through filtering, HTML code injection remains possible. This vulnerability is fixed in 1.7.6.

Classification

CVE ID: CVE-2025-30166

CVSS Base Severity: LOW

CVSS Base Score: 1.8

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected Products

Vendor: pimcore

Product: admin-ui-classic-bundle

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.0% (probability of being exploited)

EPSS Percentile: 0.02% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-30166
https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-x82r-6j37-vrgg
https://github.com/pimcore/admin-ui-classic-bundle/commit/76b690d4f8fcd9c9d41766bc5238c2513242e60e

Timeline

2025-04-08 12:40:16 UTC
CVE

Pimcore's Admin Classic Bundle allows HTML Injection
2025-04-08 15:15:25 UTC
Github Advisory Database (Composer)

[pimcore/admin-ui-classic-bundle] Pimcore's Admin Classic Bundle allows HTML Injection