Community  »  Applications  »  Webmail

Release notes for the latest release

The Horde Team is pleased to announce the final release of the Horde Groupware
Webmail Edition version 5.2.16.

Horde Groupware Webmail Edition is a free, enterprise ready, browser based
communication suite. Users can read, send and organize email messages with four
different webmail interfaces and manage and share calendars, contacts, tasks,
notes, files, and bookmarks with the standards compliant components from the
Horde Project.

For upgrading instructions, please see

For detailed installation and configuration instructions, please see

Thanks to Liuzhu for reporting the XSS vulnerability via data:text/html

Thanks to Dawid Gounski for reporting the missing CSRF token in the
configuration form and the XSS vulnerability with SVG images via Beyond
Security's SecuriTeam Secure Disclosure program.

Thanks to ssys GmbH for reporting the XSS vulnerability.

The major changes compared to the Horde Groupware Webmail Edition version
5.2.15 are:

Security fixes:
    * Fixed an XSS vulnerability via data:text/html content of form action and
      xlink attributes.
    * Added CSRF protection tokens to the portal layout forms.
    * Fixed an open URL redirection in the portal layout forms.
    * Enabled CSRF tokens in the configuration forms.
    * Don't render SVG images in the browser to avoid XSS attacks

General changes:
    * Several bugfixes and improvements.

Filter changes:
    * Fixed creating of new spam folders.

Tasks changes:
    * Fixed sorting of recurring tasks by due date.