CVE-2025-30166Cross-site Scripting in Admin-ui-classic-bundle

CWE-79Cross-site Scripting4 documents4 sources
Severity
1.8LOWNVD
EPSS
0.0%
top 99.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Pimcore Admin-ui-classic-bundlePimcore Admin Classic Bundle
Timeline
PublishedApr 8

Description

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. An HTML injection issue allows users with access to the email sending functionality to inject arbitrary HTML code into emails sent via the admin interface, potentially leading to session cookie theft and the alteration of page content. The vulnerability was discovered in the /admin/email/send-test-email endpoint using the POST method. The vulnerable parameter is content, which permits the injection of arbitrary HTML code during th

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

Patches

Patch: github.com

🔴Vulnerability Details

3
CVEList
Pimcore's Admin Classic Bundle allows HTML Injection2025-04-08
GHSA
Pimcore's Admin Classic Bundle allows HTML Injection2025-04-08
OSV
Pimcore's Admin Classic Bundle allows HTML Injection2025-04-08
CVE-2025-30166 — Cross-site Scripting | cvebase