Описание
Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute (that may use base64-encoded JavaScript code), as exploited in the wild in March 2025.
Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute (that may use base64-encoded JavaScript code), as exploited in the wild in March 2025.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-30349
- https://github.com/horde/base/releases/tag/v5.2.23
- https://github.com/horde/imp/blob/fd9212ca3b72ff834504af4886f7d95138619bd4/doc/INSTALL.rst?plain=1#L23-L25
- https://github.com/horde/imp/blob/fd9212ca3b72ff834504af4886f7d95138619bd4/doc/INSTALL.rst?plain=1#L61-L62
- https://github.com/horde/imp/releases/tag/v6.2.27
- https://github.com/horde/webmail/releases/tag/v5.2.22
- https://github.com/natasaka/CVE-2025-30349
- https://lists.debian.org/debian-lts-announce/2025/04/msg00008.html
- https://lists.horde.org/archives/imp/Week-of-Mon-20250317/057781.html
- https://lists.horde.org/archives/imp/Week-of-Mon-20250317/057784.html
- https://web.archive.org/web/20250321152616/https://lists.horde.org/archives/imp/Week-of-Mon-20250317/057781.html
- https://web.archive.org/web/20250321162434/https://lists.horde.org/archives/imp/Week-of-Mon-20250317/057784.html
- https://www.horde.org/apps/horde
- https://www.horde.org/apps/imp
- https://www.horde.org/download/horde
Связанные уязвимости
Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute (that may use base64-encoded JavaScript code), as exploited in the wild in March 2025.
Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute (that may use base64-encoded JavaScript code), as exploited in the wild in March 2025.
Horde IMP through 6.2.27, as used with Horde Application Framework thr ...