Horde IMP Cross-Site Scripting Vulnerability Leading to Account Takeover

A cross-site scripting (XSS) vulnerability has been identified in Horde IMP versions through 6.2.27, within the Horde Application Framework versions prior to 5.2.23. This vulnerability allows for account takeover by sending a crafted text/html email that includes an onerror attribute, which can be used to execute base64-encoded JavaScript. The issue was actively exploited in March 2025.

Impact

Exploitation of this vulnerability allows an attacker to hijack a user's session, potentially leading to unauthorized access to the user's account and email data.

Reproduction

The vulnerability can be reproduced by sending an email with a payload that exploits the XSS flaw to a recipient using the affected version of Horde IMP. The email must be viewed in a Horde Web Client, where the injected JavaScript will be executed. The proof-of-concept for this vulnerability, including the crafted email payload, is available in the 'natasaka/CVE-2025-30349' GitHub repository.

Remediation

Users can upgrade to Horde IMP version 6.2.27-2+deb11u1 to address this vulnerability.