CVE-2008-2783

Name of the Vulnerable Software and Affected Versions Horde Groupware, Groupware Webmail Edition, and Kronolith (affected versions not specified)

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the timestamp parameter to API endpoints such as "week.php", "workweek.php", and "day.php", and via the horde parameter in the PATH INFO to the default URI.

Recommendations For all affected versions, consider restricting access to the vulnerable API endpoints "week.php", "workweek.php", and "day.php" until a fix is available. As a temporary workaround, avoid using the timestamp parameter and the horde parameter in the PATH INFO to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.