CVE-2025-30349
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-30349
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30349.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-30349
- Related
- Published
- 2025-03-21T17:15:40Z
- Modified
- 2025-04-03T12:44:10.095486Z
- Summary
- [none]
- Details
-
Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute (that may use base64-encoded JavaScript code), as exploited in the wild in March 2025.
- References
-
- https://github.com/horde/base/releases/tag/v5.2.23
- https://github.com/horde/imp/blob/fd9212ca3b72ff834504af4886f7d95138619bd4/doc/INSTALL.rst?plain=1#L23-L25
- https://github.com/horde/imp/blob/fd9212ca3b72ff834504af4886f7d95138619bd4/doc/INSTALL.rst?plain=1#L61-L62
- https://github.com/horde/imp/releases/tag/v6.2.27
- https://github.com/horde/webmail/releases/tag/v5.2.22
- https://github.com/natasaka/CVE-2025-30349/
- https://lists.horde.org/archives/imp/Week-of-Mon-20250317/057781.html
- https://lists.horde.org/archives/imp/Week-of-Mon-20250317/057784.html
- https://web.archive.org/web/20250321152616/https://lists.horde.org/archives/imp/Week-of-Mon-20250317/057781.html
- https://web.archive.org/web/20250321162434/https://lists.horde.org/archives/imp/Week-of-Mon-20250317/057784.html
- https://www.horde.org/apps/horde
- https://www.horde.org/apps/imp
- https://www.horde.org/download/horde
- https://lists.debian.org/debian-lts-announce/2025/04/msg00008.html
- https://security-tracker.debian.org/tracker/CVE-2025-30349
Affected packages
Debian:11 / php-horde-imp
Package
- Name
- php-horde-imp
- Purl
- pkg:deb/debian/php-horde-imp?arch=source
Debian:12 / php-horde-imp
Package
- Name
- php-horde-imp
- Purl
- pkg:deb/debian/php-horde-imp?arch=source
Git / github.com/horde/base
Affected ranges
- Type
- GIT
- Repo
- https://github.com/horde/base
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Type
- GIT
- Repo
- https://github.com/horde/imp
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected
Affected versions
v4.*
v4.0.0
v4.0.0beta1
v4.0.0rc1
v4.0.0rc2
v4.0.1
v4.0.10
v4.0.11
v4.0.12
v4.0.13
v4.0.14
v4.0.15
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v5.*
v5.0.0
v5.0.0alpha1
v5.0.0beta1
v5.0.0beta2
v5.0.0beta3
v5.0.0beta4
v5.0.0beta5
v5.0.0beta6
v5.0.0rc1
v5.0.0rc2
v5.0.1
v5.0.10
v5.0.11
v5.0.12
v5.0.13
v5.0.14
v5.0.15
v5.0.16
v5.0.17
v5.0.18
v5.0.19
v5.0.2
v5.0.20
v5.0.21
v5.0.22
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9
v5.1.0
v5.1.0beta1
v5.1.0beta2
v5.1.0beta3
v5.1.0rc1
v5.1.1
v5.1.2
v5.1.3
v5.1.4
v5.1.5
v5.2.0
v5.2.0alpha1
v5.2.0beta1
v5.2.0beta2
v5.2.0rc1
v5.2.0rc2
v5.2.1
v5.2.10
v5.2.11
v5.2.12
v5.2.13
v5.2.14
v5.2.15
v5.2.16
v5.2.17
v5.2.18
v5.2.19
v5.2.2
v5.2.20
v5.2.21
v5.2.23
v5.2.3
v5.2.4
v5.2.5
v5.2.6
v5.2.7
v5.2.8
v5.2.9
v6.*
v6.0.0
v6.0.0alpha1
v6.0.0beta1
v6.0.0beta2
v6.0.0beta3
v6.0.0beta4
v6.0.0rc1
v6.0.0rc2
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.1.0
v6.1.0beta1
v6.1.0beta2
v6.1.0rc1
v6.1.1
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.2.0
v6.2.0alpha1
v6.2.0beta1
v6.2.0beta2
v6.2.0beta3
v6.2.0rc1
v6.2.1
v6.2.10
v6.2.11
v6.2.12
v6.2.13
v6.2.14
v6.2.15
v6.2.16
v6.2.17
v6.2.18
v6.2.19
v6.2.2
v6.2.20
v6.2.21
v6.2.22
v6.2.23
v6.2.24
v6.2.25
v6.2.26
v6.2.27
v6.2.3
v6.2.4
v6.2.5
v6.2.6
v6.2.7
v6.2.8
v6.2.9