CVE-2006-3548

Name of the Vulnerable Software and Affected Versions Horde Application Framework versions 3.0.0 through 3.0.10 Horde Application Framework versions 3.1.0 through 3.1.1

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via several methods, including using a javascript URI or an external http, https, or ftp URI in the url parameter in "services/go.php", a javascript URI in the module parameter in "services/help", and the name parameter in "services/problem.php".

Recommendations For Horde Application Framework versions 3.0.0 through 3.0.10, update to a version outside of this range to mitigate the risk. For Horde Application Framework versions 3.1.0 through 3.1.1, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the "services/go.php", "services/help", and "services/problem.php" endpoints until a patch is available. Avoid using the url parameter in "services/go.php", the module parameter in "services/help", and the name parameter in "services/problem.php" until the issue is resolved.