It was discovered that the Horde web application framework permits arbitrary file inclusion by a remote attacker through the theme preference parameter.