CVE-2005-4190

Name of the Vulnerable Software and Affected Versions Horde Application Framework versions prior to 3.0.8

Description The issue allows remote authenticated users to inject arbitrary web script or HTML via multiple vectors, including the identity field, Category and Label search fields, Mobile Phone field, and Date and Time fields when importing CSV files. This can be exploited through various modules such as Turba Address Book, Kronolith, Mnemo, and Nag.

Recommendations For versions prior to 3.0.8, update to version 3.0.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable modules, such as Turba Address Book, Kronolith, Mnemo, and Nag, until the update is applied. Additionally, avoid using the vulnerable fields, such as identity, Category, Label, Mobile Phone, Date, and Time, when importing CSV files, to minimize the risk of exploitation.