The Horde webmail suite is a popular, browser-based communication solution that can be vulnerable to certain security threats. The article discusses an unusual cross-site scripting (XSS) vulnerability in the Horde webmailer that allows an attacker to craft a malicious OpenOffice document that, when previewed as an email attachment, enables the attacker to steal all emails from the victim's account. This vulnerability was reported almost six months ago, but there is currently no official patch available. To mitigate this vulnerability, administrators can disable the rendering of OpenOffice attachments by editing the Horde installation's configuration file. The article emphasizes the importance of sanitizing HTML documents after XSLT rendering, especially when using third-party libraries or stylesheets.