QwikSec

Security Database

CVE

CWE

Training

CVE-2025-30349

Published: Mar 21, 2025

Modified: Apr 3, 2025

PUBLISHED

CVSS v3.1

7.2

HIGH

Description

Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute (that may use base64-encoded JavaScript code), as exploited in the wild in March 2025.

Vendor	Product	Versions
Horde	IMP	affected `0 - <= 6.2.27`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/horde/webmail/releases/tag/v5.2.22

https://www.horde.org/apps/imp

https://lists.horde.org/archives/imp/Week-of-Mon-20250317/057781.html

https://web.archive.org/web/20250321152616/https://lists.horde.org/archives/imp/Week-of-Mon-20250317/057781.html

https://www.horde.org/download/horde

https://github.com/horde/imp/blob/fd9212ca3b72ff834504af4886f7d95138619bd4/doc/INSTALL.rst?plain=1#L61-L62

https://www.horde.org/apps/horde

https://github.com/horde/imp/blob/fd9212ca3b72ff834504af4886f7d95138619bd4/doc/INSTALL.rst?plain=1#L23-L25

https://lists.horde.org/archives/imp/Week-of-Mon-20250317/057784.html

https://github.com/horde/imp/releases/tag/v6.2.27

https://github.com/horde/base/releases/tag/v5.2.23

https://web.archive.org/web/20250321162434/https://lists.horde.org/archives/imp/Week-of-Mon-20250317/057784.html

https://github.com/natasaka/CVE-2025-30349/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.