CVE-2025-30349 | THREATINT

Description

Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute (that may use base64-encoded JavaScript code), as exploited in the wild in March 2025.

PUBLISHED Reserved 2025-03-21 | Published 2025-03-21 | Updated 2025-04-03 | Assigner mitre

HIGH: 7.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status

unknown

Any version

affected

References

lists.debian.org/debian-lts-announce/2025/04/msg00008.html

github.com/horde/webmail/releases/tag/v5.2.22

www.horde.org/apps/imp

lists.horde.org/...ives/imp/Week-of-Mon-20250317/057781.html

web.archive.org/...ives/imp/Week-of-Mon-20250317/057781.html

www.horde.org/download/horde

github.com/...04af4886f7d95138619bd4/doc/INSTALL.rst?plain=1

www.horde.org/apps/horde

github.com/...04af4886f7d95138619bd4/doc/INSTALL.rst?plain=1

lists.horde.org/...ives/imp/Week-of-Mon-20250317/057784.html

github.com/horde/imp/releases/tag/v6.2.27

github.com/horde/base/releases/tag/v5.2.23

web.archive.org/...ives/imp/Week-of-Mon-20250317/057784.html

github.com/natasaka/CVE-2025-30349/

cve.org (CVE-2025-30349)

nvd.nist.gov (CVE-2025-30349)

Download JSON

help @ threatint.eu