OX App Suite up to and including 7.10.4 allows XSS via a contact whose name contains JavaScript code.
open-xchange open-xchange appsuite