The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form.
http://www.debian.org/security/2014/dsa-2853
http://seclists.org/oss-sec/2014/q1/169