Description

I have found an HTML Injection vulnerability on your web application. HTML injection is a type of injection vulnerability that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page.

Note : I am recreating the report as you requested. https://huntr.dev/bounties/b2edcaf2-327d-45fd-9e54-ea4c164466a1/

Steps to reprduce:

1. Navigate the urla and https://demo.pimcore.fun/admin and login.
2. Select perspective --> CDP and click on any user profile
3. Click Edit ->Segmentation -> Calculated segments (open the folder).
4. Enter the html payload Segment name field and save it.
5. Go to the customers option, payload successfully worked.

Proof of Concept

https://drive.google.com/file/d/1xdzlAsyH-ievhIaRbfXJ0JHTtlix62N2/view?usp=sharing

Impact

As HTML injection works in email an attacker can trick a victim to click on such hyperlinks to redirect him to any malicious site and also can host a XSS page. All this will surely cause some damage to the victim. This could lead to users being tricked into giving logins away to malicious attackers.