Some vulnerabilities have been reported in Horde, which can be exploited by malicious people to conduct phishing and cross-site scripting attacks.
Input passed to the "url" parameter in index.php isn't properly verified before it is being used to include an arbitrary web site in a frameset. This can e.g. be exploited to trick a user into believing certain malicious content is served from a trusted web site. Some unspecified input passed in index.php isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.