GHSA-jmh9-6rjq-gjh9: 
PHP vulnerability analysis and mitigation

A moderate severity vulnerability was identified in PIMCore's admin-ui-classic-bundle affecting versions up to 1.4.2. The issue stems from the usage of jQuery version 3.4.1, which is known to be vulnerable to cross-site-scripting (XSS) attacks. The vulnerability was published on June 4, 2024, and reviewed by GitHub on June 5, 2024 (GitHub Advisory).

The vulnerability exists in jQuery versions from 1.0.3 to versions before 3.5.0. The core issue involves the handling of HTML containing elements from untrusted sources. Even after sanitization, when such content is passed to jQuery's DOM manipulation methods (including .html(), .append(), and others), it may result in the execution of untrusted code (GitHub Advisory).

The vulnerability could potentially lead to cross-site scripting (XSS) attacks, allowing attackers to execute malicious code in the context of the user's browser when processing untrusted HTML content through jQuery's DOM manipulation methods (GitHub Advisory).

The vulnerability has been patched in pimcore/admin-ui-classic-bundle version 1.4.3. Users are advised to upgrade to this version or later to address the security issue. The underlying jQuery vulnerability was fixed in jQuery version 3.5.0 (GitHub Advisory).