Cross-site request forgery (CSRF) vulnerability in the Horde Application Framework before 3.3.9 allows remote attackers to hijack the authentication of unspecified victims for requests to a preference form.