CVE-2009-0931 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0931): Cross-site scripting (XSS) vulnerability in the tag cloud search script (horde/services/portal/cloud_search.php) in Horde before 3.2.4 and 3.3.3, and Horde Groupware before 1.1.5, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2009-0932 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0932): Directory traversal vulnerability in framework/Image/Image.php in Horde before 3.2.4 and 3.3.3 and Horde Groupware before 1.1.5 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the Horde_Image driver name.
Horde stabling via bug 256125.
+*horde-groupware-1.2.3 (24 Aug 2009) + + 24 Aug 2009; Alex Legler <a3li@gentoo.org> -horde-groupware-1.0.7.ebuild, + -horde-groupware-1.1.3.ebuild, -horde-groupware-1.2.ebuild, + +horde-groupware-1.2.3.ebuild: + Non-maintainer commit: Version bump for security bug 262978. Removing + vulnerable versions. ~arch only
This includes file inclusion -> B1 -> GLSA draft filed.
GLSA 200909-14