This [3.0.7] is a security release that fixes cross site
scripting vulnerabilities in two of Horde's MIME viewers. These
holes could for example be exploited by an attacker sending
specially crafted emails to Horde's webmail client IMP. The
attack could be used to steal users' identity information, taking
over users' sessions, or changing users' settings.
As a hotfix the css and tgz MIME drivers can be disabled by
removing their entries from the
$mime_drivers_map['horde']['registered'] list in
horde/config/mime_drivers.php.