XSS Vulnerability in Afterlogic Aurora Webmail Version 9.8.3 and Below
CVE-2025-12460

5.3MEDIUM

Key Information:

Vendor: Afterlogic
Status: Aurora
Vendor: CVE Published:; 31 October 2025

Badges

👾 Exploit Exists

What is CVE-2025-12460?

A cross-site scripting (XSS) vulnerability exists in Afterlogic Aurora webmail versions prior to 9.8.4. It allows attackers to send specially crafted HTML emails featuring JavaScript embedded within an img HTML tag. When such an email is opened, it can execute arbitrary JavaScript code in the user’s browser, potentially compromising sensitive user data and leading to unauthorized actions within the user's webmail session.

Affected Version(s)

Aurora 0 <= 9.8.3

References

https://auroramail.wordpress.com/2025/10/28/xss-vulnerabi...

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Oct 31, 2025
Vulnerability published
Oct 31, 2025
Vulnerability Reserved
Oct 29, 2025

Credit

Matthieu Faou (ESET)

JSON