Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via the fm_id parameter in a fetchmail_prefs_save action, related to the Fetchmail configuration.
http://www.vupen.com/english/advisories/2011/0769
http://www.vupen.com/english/advisories/2010/2513
http://www.securityfocus.com/archive/1/513992/100/0/threaded
http://www.debian.org/security/2011/dsa-2204
http://securityreason.com/securityalert/8170
http://secunia.com/advisories/43896
http://secunia.com/advisories/41627
http://openwall.com/lists/oss-security/2010/10/01/6
http://lists.horde.org/archives/announce/2010/000568.html
http://lists.horde.org/archives/announce/2010/000558.html
http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde&r1=1.39.4.10&r2=1.39.4.11
http://git.horde.org/diff.php/groupware/docs/webmail/CHANGES?rt=horde&r1=1.35.2.11&r2=1.35.2.13&ty=h
http://cvs.horde.org/diff.php/imp/docs/CHANGES?rt=horde&r1=1.699.2.424&r2=1.699.2.430&ty=h