CVE-2025-30349Cross-site Scripting in Php-horde-imp

CWE-79Cross-site Scripting5 documents5 sources
Severity
7.2HIGHNVD
EPSS
18.6%
top 4.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Debian Php-horde-impHorde IMP
Timeline
PublishedMar 21

Description

Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute (that may use base64-encoded JavaScript code), as exploited in the wild in March 2025.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.7

Affected Packages2 packages

debiandebian/php-horde-imp< php-horde-imp 6.2.27-2+deb11u1 (bullseye)
CVEListV5horde/imp6.2.27

🔴Vulnerability Details

3
GHSA
GHSA-mchq-vv84-m9gr: Horde IMP through 62025-03-21
OSV
CVE-2025-30349: Horde IMP through 62025-03-21
VulnCheck
horde imp Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')2025

📋Vendor Advisories

1
Debian
CVE-2025-30349: php-horde-imp - Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.2...2025