CVE-2025-30349
Published: 21 March 2025
Summary
CVE-2025-30349 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Horde IMP (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-30349 is a cross-site scripting vulnerability (CWE-79) affecting Horde IMP through version 6.2.27 when used with the Horde Application Framework through 5.2.23. It permits injection of malicious JavaScript via a crafted text/html email message containing an onerror attribute, which may incorporate base64-encoded code, ultimately enabling account takeover.
An attacker can exploit the flaw by sending a specially formatted email that triggers script execution without requiring authentication or user interaction on the recipient side, achieving limited confidentiality and integrity impacts across security boundaries as reflected in its CVSS 7.2 score.
The referenced GitHub releases for Horde base 5.2.23, IMP 6.2.27, and related webmail packages address the issue through updated code that resolves the XSS vector in email rendering.
The vulnerability was exploited in the wild in March 2025, coinciding with its disclosure date, and carries an EPSS score of 0.4981.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7227
Vulnerability details
Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute (that may use base64-encoded JavaScript code), as exploited in the wild…
more
in March 2025.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote XSS vulnerability in the public-facing Horde IMP webmail application that allows injection and execution of arbitrary base64-encoded JavaScript code in the victim's browser context upon viewing a crafted email, directly mapping to T1190 for exploitation of the public-facing application and T1059.007 for JavaScript execution leading to session cookie theft and account takeover.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely flaw remediation through patching vulnerable Horde IMP and Framework versions to eliminate the XSS vulnerability.
Requires validation of email inputs like text/html content to block malformed onerror attributes and base64-encoded JavaScript.
Enforces filtering and encoding of email outputs in the webmail interface to prevent execution of injected JavaScript leading to account takeover.