A security issue and some vulnerabilities have been reported in Horde Groupware Webmail Edition, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks and compromise a vulnerable system.

1) Certain Input passed to an email form field is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

This vulnerability may be related to vulnerability #1 in:
SA47592

2) Input passed to the compose page and contacts popup window is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

This vulnerability may be related to vulnerability #1 in:
SA47580

3) Certain input via IMAP mailbox names is not properly sanitised before being used.

For more information see vulnerability #2 in:
SA47580

The vulnerabilities #1 through #3 are reported in versions prior 1.2.11.

4) The security issue is caused due to the distribution of compromised Horde Groupware Webmail Edition source code packages containing a backdoor, which can be exploited to e.g. execute arbitrary PHP code.

The compromised source file was distributed with version 1.2.10 between 2nd November 2011 and 7th February 2012.

Solution
Update to version 1.2.11.

Provided and/or discovered by
Reported by the vendor.

Changelog
Further details available in Customer Area

Original Advisory
http://lists.horde.org/archives/announce/2012/000750.html
http://lists.horde.org/archives/announce/2012/000751.html
http://git.horde.org/diff.php/groupware/docs/webmail/CHANGES?rt=horde&r1=1.35.2.17&r2=1.35.2.18&ty=h

Other references
Further details available in Customer Area

Technical Analysis
Further details available in Customer Area

Deep Links
Links available in Customer Area