CVE-2024-25625: 
PHP vulnerability analysis and mitigation

A Host Header Injection vulnerability (CVE-2024-25625) was discovered in Pimcore's Admin Classic Bundle (pimcore/admin-ui-classic-bundle) versions prior to 1.3.4. The vulnerability exists in the invitationLinkAction function of the UserController, specifically in how the $loginUrl parameter handles user input (GitHub Advisory).

The vulnerability stems from unsafe handling of host headers from incoming HTTP requests when generating URLs. The invitationLinkAction function in UserController.php constructs URLs using unvalidated host headers from POST requests to the /admin/user/invitationlink endpoint. When a host header is injected in the POST request, the $loginURL parameter is constructed with this unvalidated host header, which is then used in invitation emails sent to users (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N (NVD).

The vulnerability enables attackers to perform phishing attacks by manipulating invitation link URLs to point to attacker-controlled domains. When exploited, the generated URLs in invitation emails could direct users to malicious websites instead of the legitimate application domain (GitHub Advisory).

The vulnerability has been patched in version 1.3.4 of the admin-ui-classic-bundle. The recommended mitigation includes validating the host header to ensure it matches the application's domain and implementing a default trusted host or hostname when the incoming host header is unrecognized or absent (GitHub Advisory).