CVE-2008-2783 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2783): Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware, Groupware Webmail Edition, and Kronolith allow remote attackers to inject arbitrary web script or HTML via the timestamp parameter to (1) week.php, (2) workweek.php, and (3) day.php; and (4) the horde parameter in the PATH_INFO to the default URI. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
I did not see this mentioned as fixed in the latest releases. Correct me if I am wrong there. setting [upstream] for now (This bug could be used as a tracker for 3 package bugs when the fix is available)
Closing as the individual packages have been bumped to the fixed versions. Only kronolith still awaits stabilization.