From Salvatore Bonaccorso@21:1/5 to All on Thu Apr 3 22:10:01 2025
Source: php-horde-imp
Version: 6.2.27-3.1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 6.2.27-3
Hi,
The following vulnerability was published for php-horde-imp.
CVE-2025-30349[0]:
| Horde IMP through 6.2.27, as used with Horde Application Framework
| through 5.2.23, allows XSS that leads to account takeover via a
| crafted text/html e-mail message with an onerror attribute (that may
| use base64-encoded JavaScript code), as exploited in the wild in
| March 2025.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.