CVE-2017-16906: In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a "Calendar -> New Event" action.
CVE-2017-16908: In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be bypassed.
Please fix them.
Last update: 2019-04-07
Standards version of the package is outdated.
The package should be updated to follow the last version of Debian Policy
(Standards-Version 4.3.0 instead of