Hackeruniverse

**Name of the Vulnerable Software and Affected Versions** Pimcore Admin Classic Bundle versions prior to 1.0.3 **Description** The issue allows for unauthenticated HTML injection or cross-site scripting (XSS), affecting admins who have not set up two-factor authentication. This can cause the application to execute arbitrary scripts or HTML content. The vulnerable endpoint is "/admin/login/2fa-setup" with the vulnerable parameter `error`. An attacker could replace the QR code on the 2fa page, increasing the threat to admins. This attack can lead to cookie stealing, defacement, or injecting phishing URLs on the target application. **Recommendations** Update to version 1.0.3 to resolve the issue. As a temporary workaround, consider applying the patches manually from the provided GitHub commit. Restrict access to the vulnerable endpoint "/admin/login/2fa-setup" and avoid using the `error` parameter in this endpoint until the issue is resolved.