OX App Suite up to and including 7.10.6 allows XSS by forcing block-wise read.
open-xchange app suite