In Appspace On-Prem up to and including 7.1.3, an adversary can steal a session token via XSS.
appspace on-prem