The remote web server contains a PHP application that is vulnerable to cross-site scripting attacks.
The installation of Horde is using the Passwd module which provides support for changing passwords. The installed version of this module is earlier than 3.1.1. Such versions are reportedly affected by a cross-site scripting vulnerability that affects the 'backend' parameter of the 'main.php' script. An attacker can exploit this to execute arbitrary script code in the browser of an authenticated user.
Upgrade to Passwd H3 3.1.1 or later.