OX App Suite 7.10.4 and earlier allows XSS via a crafted distribution list (payload in the common name) that is mishandled in the scheduling view.

OX App Suite 7.10.4 and earlier allows XSS via a crafted contact object (payload in the position or company field) that is mishandled in the App Suite UI on a smartphone.

OX App Suite 7.10.4 and earlier allows SSRF via a snippet.

OX App Suite through 7.10.4 allows XSS via the subject of a task.

OX App Suite through 7.10.4 allows XSS via an appointment in which the location contains JavaScript code.

OX App Suite through 7.10.4 allows XSS via a contact whose name contains JavaScript code.

OX App Suite through 7.10.4 allows XSS via JavaScript in a Note referenced by a mail:// URL.

OX App Suite through 7.10.4 allows XSS via an inline image with a crafted filename.

OX App Suite through 7.10.4 allows XSS via an inline binary file.

OX App Suite through 7.10.4 allows XSS via use of the conversion API for a distributedFile.

OX App Suite through 7.10.4 allows XSS via a crafted Content-Disposition header in an uploaded HTML document to an ajax/share/<share-token>?delivery=view URI.

OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifests query string.

OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy PUT request.

OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite URI).

OX App Suite through 7.10.3 allows SSRF because GET requests are sent to arbitrary domain names with an initial autoconfig. substring.

OX App Suite through 7.10.3 allows SSRF via the the /ajax/messaging/message message API.

OX App Suite 7.10.3 and earlier allows XSS via text/x-javascript, text/rdf, or a PDF document.

OX App Suite 7.10.3 and earlier allows SSRF, related to the mail account API and the /folder/list API.

OX App Suite 7.10.3 and earlier has Incorrect Access Control via an /api/subscriptions request for a snippet containing an email address.

OX App Suite through 7.10.2 allows SSRF.