Cyber Resilience

CVE-2025-30349

High

Published: 21 March 2025

Published
21 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.4981 97.9th percentile
Risk Priority 44 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30349 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Horde IMP (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-30349 is a cross-site scripting vulnerability (CWE-79) affecting Horde IMP through version 6.2.27 when used with the Horde Application Framework through 5.2.23. It permits injection of malicious JavaScript via a crafted text/html email message containing an onerror attribute, which may incorporate base64-encoded code, ultimately enabling account takeover.

An attacker can exploit the flaw by sending a specially formatted email that triggers script execution without requiring authentication or user interaction on the recipient side, achieving limited confidentiality and integrity impacts across security boundaries as reflected in its CVSS 7.2 score.

The referenced GitHub releases for Horde base 5.2.23, IMP 6.2.27, and related webmail packages address the issue through updated code that resolves the XSS vector in email rendering.

The vulnerability was exploited in the wild in March 2025, coinciding with its disclosure date, and carries an EPSS score of 0.4981.

EU & UK References

Vulnerability details

Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute (that may use base64-encoded JavaScript code), as exploited in the wild…

more

in March 2025.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

The CVE describes a remote XSS vulnerability in the public-facing Horde IMP webmail application that allows injection and execution of arbitrary base64-encoded JavaScript code in the victim's browser context upon viewing a crafted email, directly mapping to T1190 for exploitation of the public-facing application and T1059.007 for JavaScript execution leading to session cookie theft and account takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2026-3876Shared CWE-79
CVE-2025-23671Shared CWE-79

Affected Assets

Horde
IMP
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely flaw remediation through patching vulnerable Horde IMP and Framework versions to eliminate the XSS vulnerability.

prevent

Requires validation of email inputs like text/html content to block malformed onerror attributes and base64-encoded JavaScript.

prevent

Enforces filtering and encoding of email outputs in the webmail interface to prevent execution of injected JavaScript leading to account takeover.

References