João Machado

**Name of the Vulnerable Software and Affected Versions** Horde Internet Mail Program (IMP) versions prior to 6.1.8 Horde Groupware Webmail Edition versions prior to 5.1.5 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via an unspecified flag in the basic mailbox or message view, potentially leading to cross-site scripting (XSS) attacks. **Recommendations** For Horde Internet Mail Program (IMP) versions prior to 6.1.8, update to version 6.1.8 or later. For Horde Groupware Webmail Edition versions prior to 5.1.5, update to version 5.1.5 or later.

**Name of the Vulnerable Software and Affected Versions** Horde versions prior to 5.1.1 **Description** The issue allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the ` formvars` form. This is due to a vulnerability in the `Variables.php` script within the Util library. **Recommendations** For versions prior to 5.1.1, update to version 5.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `Variables.php` script to minimize the risk of exploitation.