Peter Paul Elfferich discovered that turba2, a contact management component for horde framework, did not correctly check access rights before allowing users to edit addresses. This could result in valid users being able to alter private address records.