CVE-2025-30349
HIGH7.2EPSS 40.3%php-horde-imp - security update
Published: 3/21/2025Modified: 4/28/2026
Description
Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute (that may use base64-encoded JavaScript code), as exploited in the wild in March 2025.
Affected packages (2)
- Debian/php-horde-impfrom 0, < 6.2.27-2+deb11u1
- Debian/php-horde-impfrom 0, < 6.2.27-2+deb11u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |