CVE-2025-12460 MEDIUM

CVE-2025-12460: Stored XSS vulnerability in Afterlogic Aurora webmail

Vendor Afterlogic
Product Aurora
Weakness CWE-79 · XSS
Published October 31, 2025
Last update October 31, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

An XSS issue was discovered in Afterlogic Aurora webmail version 9.8.3 and below. An attacker can send a specially crafted HTML e-mail message with JavaScript in an img HTML tag. This could allow a remote attacker to load arbitrary JavaScript code in the context of a webmail user's browser window, and access user data.

Key dates

02Disclosure timeline

October 31, 2025 CVE published
October 31, 2025 Record updated