Source: php-horde-imp Version: 6.2.27-3.1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 6.2.27-3
Hi, The following vulnerability was published for php-horde-imp. CVE-2025-30349[0]: | Horde IMP through 6.2.27, as used with Horde Application Framework | through 5.2.23, allows XSS that leads to account takeover via a | crafted text/html e-mail message with an onerror attribute (that may | use base64-encoded JavaScript code), as exploited in the wild in | March 2025. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-30349 https://www.cve.org/CVERecord?id=CVE-2025-30349 [1] https://github.com/horde/imp/commit/8a89d755e0356e7785e555d85c881fd4774e973e Regards, Salvatore
