Moritz Naumann discovered that imp4, a webmail component for the horde framework, is prone to cross-site scripting attacks by a lack of input sanitising of certain fetchmail information.