Jan Schneider

**Name of the Vulnerable Software and Affected Versions** Horde versions 3.1 through 3.1.5 Horde versions 3.2 before 3.2-RC2 Turba H3 versions 2.1 through 2.1.5 Turba H3 versions 2.2 before 2.2-RC2 Kronolith H3 versions 2.1 through 2.1.6 Kronolith H3 versions 2.2 before 2.2-RC2 Nag H3 versions 2.1 through 2.1.3 Nag H3 versions 2.2 before 2.2-RC2 Mnemo H3 versions 2.1 through 2.1.1 Mnemo H3 versions 2.2 before 2.2-RC2 Horde Groupware versions 1.0 through 1.0.2 Horde Groupware versions 1.1 before 1.1-RC2 Groupware Webmail Edition versions 1.0 through 1.0.3 Groupware Webmail Edition versions 1.1 before 1.1-RC2 **Description** The issue concerns an unspecified vulnerability in the Horde API, affecting various Horde products. The impact and attack vectors of this issue are unknown. **Recommendations** For Horde versions 3.1 through 3.1.5, update to version 3.1.6 or later. For Horde versions 3.2 before 3.2-RC2, update to version 3.2-RC2 or later. For Turba H3 versions 2.1 through 2.1.5, update to version 2.1.6 or later. For Turba H3 versions 2.2 before 2.2-RC2, update to version 2.2-RC2 or later. For Kronolith H3 versions 2.1 through 2.1.6, update to version 2.1.7 or later. For Kronolith H3 versions 2.2 before 2.2-RC2, update to version 2.2-RC2 or later. For Nag H3 versions 2.1 through 2.1.3, update to version 2.1.4 or later. For Nag H3 versions 2.2 before 2.2-RC2, update to version 2.2-RC2 or later. For Mnemo H3 versions 2.1 through 2.1.1, update to version 2.1.2 or later. For Mnemo H3 versions 2.2 before 2.2-RC2, update to version 2.2-RC2 or later. For Horde Groupware versions 1.0 through 1.0.2, update to version 1.0.3 or later. For Horde Groupware versions 1.1 before 1.1-RC2, update to version 1.1-RC2 or later. For Groupware Webmail Edition versions 1.0 through 1.0.3, update to version 1.0.4 or later. For Groupware Webmail Edition versions 1.1 before 1.1-RC2, update to version 1.1-RC2 or later.

**Name of the Vulnerable Software and Affected Versions** Horde Kronolith H3 versions 2.1 through 2.1.6 and versions 2.2 through 2.2-RC1 Nag H3 versions 2.1 through 2.1.3 and versions 2.2 through 2.2-RC1 Mnemo H3 versions 2.1 through 2.1.1 and versions 2.2 through 2.2-RC1 Groupware versions 1.0 through 1.0.2 and versions 1.1 through 1.1-RC1 Groupware Webmail Edition versions 1.0 through 1.0.3 and versions 1.1 through 1.1-RC1 **Description** The issue is related to the failure to validate ownership when performing share changes. The impact and attack vectors of this issue are unknown. **Recommendations** For Horde Kronolith H3 versions 2.1 through 2.1.6, update to version 2.1.7 or later. For Horde Kronolith H3 versions 2.2 through 2.2-RC1, update to version 2.2-RC2 or later. For Nag H3 versions 2.1 through 2.1.3, update to version 2.1.4 or later. For Nag H3 versions 2.2 through 2.2-RC1, update to version 2.2-RC2 or later. For Mnemo H3 versions 2.1 through 2.1.1, update to version 2.1.2 or later. For Mnemo H3 versions 2.2 through 2.2-RC1, update to version 2.2-RC2 or later. For Groupware versions 1.0 through 1.0.2, update to version 1.0.3 or later. For Groupware versions 1.1 through 1.1-RC1, update to version 1.1-RC2 or later. For Groupware Webmail Edition versions 1.0 through 1.0.3, update to version 1.0.4 or later. For Groupware Webmail Edition versions 1.1 through 1.1-RC1, update to version 1.1-RC2 or later.

**Name of the Vulnerable Software and Affected Versions** Horde Groupware Webmail versions prior to Edition 1.1.1 (final) **Description** The issue is related to unescaped output, possibly leading to cross-site scripting (XSS) in the object browser and contact view. **Recommendations** For versions prior to Edition 1.1.1 (final), update to Edition 1.1.1 (final) or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Horde Application Framework versions 3.0 through 3.0.9 Horde Application Framework versions 3.1 through 3.1.0 Description: The issue allows remote attackers to execute arbitrary code via the help viewer. This is due to an eval injection vulnerability. Recommendations: For Horde Application Framework versions 3.0 through 3.0.9, update to version 3.0.10 or later. For Horde Application Framework versions 3.1 through 3.1.0, update to version 3.1.1 or later.

Name of the Vulnerable Software and Affected Versions: Horde Kronolith module versions prior to 1.1.4 Description: A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title. Recommendations: For versions prior to 1.1.4, update to version 1.1.4 or later to resolve the issue.