CVE-2025-30349
Published: 21 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-30349 is a cross-site scripting (XSS) vulnerability affecting Horde IMP through version 6.2.27 when used with the Horde Application Framework through version 5.2.23. The flaw arises from insufficient sanitization of crafted text/html email messages containing an onerror attribute, which can execute base64-encoded JavaScript code. This issue, classified under CWE-79, enables reflected XSS that escalates to full account takeover.
Attackers require no privileges and can exploit this remotely over the network with low complexity and no user interaction beyond the victim viewing the malicious email in their webmail interface. By sending a specially crafted email, an attacker triggers the onerror handler upon image load failure or similar events, injecting and executing arbitrary JavaScript in the victim's browser context. This grants access to session cookies, credentials, and other sensitive data, allowing complete compromise of the targeted user account.
Mitigation involves upgrading to patched versions, including Horde IMP 6.2.27, Horde base 5.2.23, and Horde webmail 5.2.22, as detailed in their respective GitHub release notes. Installation documentation in Horde IMP's INSTALL.rst also references configuration steps for secure deployment post-upgrade.
The vulnerability has been exploited in the wild as of March 2025, highlighting active threat actor interest in Horde-based webmail deployments.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a remote XSS vulnerability in the public-facing Horde IMP webmail application that allows injection and execution of arbitrary base64-encoded JavaScript code in the victim's browser context upon viewing a crafted email, directly mapping to T1190 for exploitation of the public-facing application and T1059.007 for JavaScript execution leading to session cookie theft and account takeover.