CVE-2017-16906 In Horde Groupware 5.2.19, there is XSS via the URL field in a "Calendar -> New Event" action. CVE-2017-16907 In Horde Groupware 5.2.19, there is XSS via the Color field in a Create Task List action. CVE-2017-16908 In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be bypassed. References: https://code610.blogspot.cz/2017/11/rce-via-xss-horde-5219.html
Created php-horde-horde tracking bugs for this issue: Affects: epel-all [bug 1515690] Affects: fedora-all [bug 1515691]
php-horde-horde is NOT Horde Groupware.