Back to KEVs

CVE-2025-30349

Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted...

Basic Information

CVE State
PUBLISHED
Reserved Date
March 21, 2025
Published Date
March 21, 2025
Last Updated
April 03, 2025
Vendor
Horde
Product
IMP
Description
Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute (that may use base64-encoded JavaScript code), as exploited in the wild in March 2025.

CVSS Scores

CVSS v3.1

7.2 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

SSVC Information

Exploitation
poc
Automatable
Yes
Technical Impact
partial

Exploit Status

Exploited in the Wild
Yes (added 2025-03-21 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2025-03-27 20:22:45 UTC) Source

References

https://github.com/horde/webmail/releases/tag/v5.2.22 https://www.horde.org/apps/imp https://lists.horde.org/archives/imp/Week-of-Mon-20250317/057781.html https://web.archive.org/web/20250321152616/https://lists.horde.org/archives/imp/Week-of-Mon-20250317/057781.html https://www.horde.org/download/horde https://github.com/horde/imp/blob/fd9212ca3b72ff834504af4886f7d95138619bd4/doc/INSTALL.rst?plain=1#L61-L62 https://www.horde.org/apps/horde https://github.com/horde/imp/blob/fd9212ca3b72ff834504af4886f7d95138619bd4/doc/INSTALL.rst?plain=1#L23-L25 https://lists.horde.org/archives/imp/Week-of-Mon-20250317/057784.html https://github.com/horde/imp/releases/tag/v6.2.27 https://github.com/horde/base/releases/tag/v5.2.23 https://web.archive.org/web/20250321162434/https://lists.horde.org/archives/imp/Week-of-Mon-20250317/057784.html https://github.com/natasaka/CVE-2025-30349/

Known Exploited Vulnerability Information

Source Added Date
CVE 2025-03-21 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

natasaka/CVE-2025-30349

Type: github • Created: 2025-03-27 20:22:45 UTC • Stars: 0

Horde IMP (through 6.2.27) vulnerability – obfuscation via HTML encoding – XSS payload