Horde IMP 4.3.7 Cross Site Scripting

`Hi,  
  
Horde IMP v4.3.7 and lower are subject to a cross site scripting (XSS)  
vulnerability:  
  
The fetchmailprefs.php script fails to properly sanitize user supplied  
input to the 'fm_id' URL parameter. If exploited, injected code will be  
persistent (persistent XSS) and will execute once the user (manually)  
accesses mail fetching preferences.  
  
The following URL can be used as a proof of concept:  
> [path_to_horde_imp]/fetchmailprefs.php?actionID=fetchmail_prefs_save&fm_driver=imap&fm_id=zzz%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%3Cx+y%3D%22&fm_protocol=pop3&fm_lmailbox=INBOX&save=Create  
  
Prior authentication to IMP is required for immediate exploitation.  
Follow-up authentication is also possible if the victims' IMP  
configuration has folder maintenance options disabled.  
  
This issue has been fixed by Jan Schneider of the Horde Project:  
> http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde&r1=1.39.4.10&r2=1.39.4.11  
  
According to him, Horde IMP v4.3.8 (or a release candidate) which fixes  
this issue is to be released within the week. Release announcements will  
likely be communicated through  
http://lists.horde.org/mailman/listinfo/announce  
  
Credits for this discovery:  
  
Moritz Naumann  
Naumann IT Security Consulting, Berlin, Germany  
http://moritz-naumann.com  
  
Thanks for reading,  
  
Moritz  
  
--   
Naumann IT Security Consulting  
Samariterstr. 16  
10247 Berlin  
Germany  
  
Web http://moritz-naumann.com  
GPG http://moritz-naumann.com/keys/0x277F060C.asc  
17FE F47E CE81 FC3A 8D6C 85A0 9FA1 A4BD 277F 060C  
  
Inhaber: Moritz Naumann · StNr. 22/652/12010 · USt-IdNr. DE266365097  
`