CVE-2025-30349

Name of the Vulnerable Software and Affected Versions Horde IMP versions prior to 6.2.27 Horde Application Framework versions prior to 5.2.23

Description A Cross-Site Scripting (XSS) vulnerability was discovered in Horde IMP, allowing an attacker to hijack a user session by sending a crafted e-mail to an IMP user. The vulnerability can be exploited via a crafted text/html e-mail message with an onerror attribute, which may use base64-encoded JavaScript code. This issue has been exploited in the wild in March 2025.

Recommendations For Horde IMP versions prior to 6.2.27, upgrade to version 6.2.27-2+deb11u1 or later. For Horde Application Framework versions prior to 5.2.23, consider disabling the vulnerable component until a patch is available. As a temporary workaround, consider restricting access to the onerror attribute in e-mail messages to minimize the risk of exploitation.