Excerpt from my SANS email:
04.23.34 CVE: Not Available
Platform: Web Application
Title: Horde IMP Input Validation Vulnerability
Description: Horde IMP is a web-based IMAP email interface written in
PHP. Insufficient sanitization of email messages that contain
malicious HTML or script code expose an arbitrary HTML injection and
script execution issue. All current releases in the 3.x branch are
I don't see anything specific on their site about what exactly causes this (might be in the Changlog when you download it). Version 3.2.4 is in portage, but marked ~arch on all arch's. Bug #53400 was the initial bug for getting it into portage, but no mention of the security fix.
moved 3.2.4 to stable and removed 3.2.3
GLSA drafted. Security please review.
Bugtraq announcement can be found here:
Note: bug number 53862 does not appear in the ChangeLog