XSS Vulnerability in Horde IMP and Application Framework
CVE-2025-30349

7.2HIGH

Key Information:

Vendor

Horde

Status
Vendor
CVE Published:
21 March 2025

What is CVE-2025-30349?

Horde IMP versions up to 6.2.27 and Horde Application Framework versions up to 5.2.23 are susceptible to a Cross-Site Scripting (XSS) vulnerability. Malicious actors can exploit this flaw by sending specially crafted text/html email messages containing an onerror attribute. This may include base64-encoded JavaScript code, potentially leading to account takeover. The vulnerability has been observed being actively exploited in the wild as of March 2025, emphasizing the need for prompt updates and mitigations.

Affected Version(s)

IMP 0 <= 6.2.27

References

EPSS Score

29% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.