OX App Suite before frontend 7.10.6-rev24 allows XSS via data to the Tumblr portal widget, such as a post title.
open-xchange ox app suite 7.10.6
open-xchange ox app suite