CVE-2025-30349: XSS
First published: Fri Mar 21 2025(Updated: )
Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute (that may use base64-encoded JavaScript code), as exploited in the wild in March 2025.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Horde | <=6.2.27 | |
| Horde application framework | <=5.2.23 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/horde/webmail/releases/tag/v5.2.22
- https://www.horde.org/apps/imp
- https://lists.horde.org/archives/imp/Week-of-Mon-20250317/057781.html
- https://web.archive.org/web/20250321152616/https://lists.horde.org/archives/imp/Week-of-Mon-20250317/057781.html
- https://www.horde.org/download/horde
- https://github.com/horde/imp/blob/fd9212ca3b72ff834504af4886f7d95138619bd4/doc/INSTALL.rst?plain=1#L61-L62
- https://www.horde.org/apps/horde
- https://github.com/horde/imp/blob/fd9212ca3b72ff834504af4886f7d95138619bd4/doc/INSTALL.rst?plain=1#L23-L25
- https://lists.horde.org/archives/imp/Week-of-Mon-20250317/057784.html
- https://github.com/horde/imp/releases/tag/v6.2.27
- https://github.com/horde/base/releases/tag/v5.2.23
- https://web.archive.org/web/20250321162434/https://lists.horde.org/archives/imp/Week-of-Mon-20250317/057784.html
- https://github.com/natasaka/CVE-2025-30349/
- https://lists.debian.org/debian-lts-announce/2025/04/msg00008.html
Frequently Asked Questions
What is the severity of CVE-2025-30349?
CVE-2025-30349 is considered a high severity vulnerability due to its potential for account takeover through XSS attacks.
How do I fix CVE-2025-30349?
To remediate CVE-2025-30349, update to Horde IMP version 6.2.28 or later and Horde Application Framework version 5.2.24 or later.
What is the impact of CVE-2025-30349?
CVE-2025-30349 allows attackers to execute malicious scripts via crafted HTML emails, potentially leading to unauthorized access to user accounts.
Which versions are affected by CVE-2025-30349?
CVE-2025-30349 affects Horde IMP versions up to and including 6.2.27 and Horde Application Framework versions up to and including 5.2.23.
When was CVE-2025-30349 first exploited?
CVE-2025-30349 was reported to be exploited in the wild in March 2025.
- agent/weakness
- agent/first-publish-date
- agent/description
- agent/type
- agent/severity
- agent/author
- agent/source
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/references
- agent/tags
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- vendor/horde
- canonical/horde
- canonical/horde application framework