CVE-2025-12460

Vulnerability

CVE-2025-12460 is a stored Cross-Site Scripting (XSS) vulnerability affecting Afterlogic Aurora webmail version 9.8.3 and earlier. The root cause lies in insufficient sanitization of HTML email content, specifically within the MailSo/Base/HtmlUtils.php file. An attacker can craft an email containing a malicious `` tag with inline JavaScript, which is not properly filtered when the email is rendered in the browser [1].

Exploitation

To exploit this vulnerability, an attacker sends a specially crafted HTML email to a victim. No authentication is required from the attacker beyond having the ability to send email to the target user. The victim only needs to view the email in the Aurora webmail interface. The malicious JavaScript embedded in the `` tag executes in the context of the victim's browser session [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript within the security context of the webmail application. This can lead to theft of session cookies, exfiltration of email content, unauthorized actions performed on behalf of the victim, or other client-side attacks that a typical XSS enables. The vulnerability does not provide direct server-side access but compromises the user's browser session [1].

Mitigation

The vendor confirmed a fix was verified and issued a patch. Users can either wait for the next official release or apply the patch manually. The patch introduces a new SanitizeComments() function in the HtmlUtils.php file and improves sanitization of HTML comments and attributes. A hotfix is also available by replacing the affected file with a patched version [1]. No known exploitation in the wild was reported at the time of advisory. There is no indication the CVE is on the KEV list.