CVE-2010-4778

Name of the Vulnerable Software and Affected Versions Horde IMP versions prior to 4.3.8 Horde Groupware Webmail Edition versions prior to 1.2.7

Description The issue allows remote attackers to inject arbitrary web script or HTML via the username (aka fmusername), password (aka fmpassword), or server (aka fmserver) field in a fetchmail prefs save action, related to the Fetchmail configuration.

Recommendations For Horde IMP versions prior to 4.3.8, update to version 4.3.8 or later. For Horde Groupware Webmail Edition versions prior to 1.2.7, update to version 1.2.7 or later. As a temporary workaround, consider restricting access to the fetchmailprefs.php file until a patch is available. Avoid using the username, password, or server fields in the fetchmail prefs save action until the issue is resolved.