Several vulnerabilities have been found in horde3, the horde web application framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0932 Gunnar Wrobel discovered a directory traversal vulnerability, which allows attackers to include and execute arbitrary local files via the driver parameter in Horde_Image. CVE-2008-3330 It was discovered that an attacker could perform a cross-site scripting attack via the contact name, which allows attackers to inject arbitrary html code. This requires that the attacker has access to create contacts. CVE-2008-5917 It was discovered that the horde XSS filter is prone to a cross-site scripting attack, which allows attackers to inject arbitrary html code. This is only exploitable when Internet Explorer is used. For the oldstable distribution , these problems have been fixed in version 3.1.3-4etch5. For the stable distribution , these problems have been fixed in version 3.2.2+debian0-2, which was already included in the lenny release. For the testing distribution and the unstable distribution , these problems have been fixed in version 3.2.2+debian0-2. We recommend that you upgrade your horde3 packages.