CVE-2010-3695

Name of the Vulnerable Software and Affected Versions Horde IMP versions prior to 4.3.8 Horde Groupware Webmail Edition versions prior to 1.2.7

Description The issue allows remote attackers to inject arbitrary web script or HTML via the fm id parameter in a "fetchmail prefs save" action, related to the Fetchmail configuration. This is a cross-site scripting (XSS) issue.

Recommendations For Horde IMP versions prior to 4.3.8, update to version 4.3.8 or later. For Horde Groupware Webmail Edition versions prior to 1.2.7, update to version 1.2.7 or later. As a temporary workaround, consider restricting access to the fetchmailprefs.php file until a patch is available. Avoid using the fm id parameter in the affected action until the issue is resolved.