1.8

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-30166

GHSA ID

GHSA-x82r-6j37-vrgg

EPSS Score

0.00021%

CWE

CWE-79

Published

4/8/2025

Updated

4/8/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-30166

CVE-2025-30166:
Pimcore's Admin Classic Bundle allows HTML Injection

Summary

An HTML injection issue allows users with access to the email sending functionality to inject arbitrary HTML code into emails sent via the admin interface, potentially leading to session cookie theft and the alteration of page content.

Details

The vulnerability was discovered in the /admin/email/send-test-email endpoint using the POST method. The vulnerable parameter is content, which permits the injection of arbitrary HTML code during the email sending process. While JavaScript code injection is blocked through filtering, HTML code injection remains possible.

PoC

To reproduce the vulnerability, a user must fill out the email's content form with the desired HTML payload. send-test-mail-text

Impact

mail-text

This HTML injection vulnerability can potentially enable phishing attacks by allowing the insertion of any html like fake login forms, etc. All functionalities that process user input should be carefully reviewed to ensure that data is appropriately encoded as HTML entities in server responses. For instance, a reflected input paramete like <h1> just a test </h1> <p> <img> should be displayed in the HTML response as <h1> just a test </h1> <p> <img>.

(GitHub Advisory)

1.8

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-30166

GHSA ID

GHSA-x82r-6j37-vrgg

EPSS Score

0.00021%

CWE

CWE-79

Published

4/8/2025

Updated

4/8/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pimcore/admin-ui-classic-bundle	composer	< 1.7.6	1.7.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability occurs in the email sending functionality, specifically when handling the 'content' parameter. The provided commit 76b690d4f8fcd9c9d41766bc5238c2513242e60e directly modifies the sendTestEmailAction method within src/Controller/Admin/EmailController.php. The patch applies strip_tags to the content parameter when the email type is 'text', indicating that previously this input was not sanitized. The diff clearly shows the vulnerable line - $mail->text($request->get('content')); being replaced. This function is responsible for retrieving the user input and passing it to the mail generation logic. The vulnerability description also implies that the HTML email type path within the same function might still be vulnerable as it wasn't addressed by this specific commit. Therefore, sendTestEmailAction is identified as the vulnerable function as it processes the tainted input.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry *n *TML inj**tion issu* *llows us*rs wit* ****ss to t** *m*il s*n*in* *un*tion*lity to inj**t *r*itr*ry *TML *o** into *m*ils s*nt vi* t** **min int*r****, pot*nti*lly l***in* to s*ssion *ooki* t***t *n* t** *lt*r*tion o* p*** *ont*nt. #

Reasoning

T** vuln*r**ility o**urs in t** *m*il s*n*in* *un*tion*lity, sp**i*i**lly w**n **n*lin* t** '*ont*nt' p*r*m*t*r. T** provi*** *ommit `****************************************` *ir**tly mo*i*i*s t** `s*n*T*st*m*il**tion` m*t*o* wit*in `sr*/*ontroll*r/

1.8

Basic Information

Concerned about an active attack path?

CVE-2025-30166: Pimcore's Admin Classic Bundle allows HTML Injection

Summary

Details

PoC

Impact

1.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-30166:
Pimcore's Admin Classic Bundle allows HTML Injection

Vulnerability Intelligence
Miggo AI