CVE-2025-30166: 
PHP vulnerability analysis and mitigation

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. The vulnerability (CVE-2025-30166) was discovered in April 2025 and affects versions up to 1.7.5. An HTML injection issue allows users with access to the email sending functionality to inject arbitrary HTML code into emails sent via the admin interface, potentially leading to session cookie theft and the alteration of page content (GitHub Advisory).

The vulnerability was discovered in the /admin/email/send-test-email endpoint using the POST method. The vulnerable parameter is 'content', which permits the injection of arbitrary HTML code during the email sending process. While JavaScript code injection is blocked through filtering, HTML code injection remains possible. The vulnerability has been assigned a CVSS v4.0 score of 1.8 (LOW) with the vector string: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N (GitHub Advisory).

This HTML injection vulnerability can potentially enable phishing attacks by allowing the insertion of any HTML content, such as fake login forms. The vulnerability could lead to session cookie theft and the alteration of page content. The impact is considered low due to the high attack complexity and requirement for high privileges (GitHub Advisory).

The vulnerability has been fixed in version 1.7.6 of the Pimcore Admin Classic Bundle. The fix involves implementing proper HTML tag stripping in text emails, as evidenced by the patch that adds strip_tags() function to sanitize the content parameter (GitHub Commit).