OX App Suite through 8.2 allows XSS via an attachment or OX Drive content when a client uses the len or off parameter.

documentconverter in OX App Suite through 7.10.6, in a non-default configuration with ghostscript, allows OS Command Injection because file conversion may occur for an EPS document that is disguised as a PDF document.

OX App Suite through 7.10.6 allows SSRF because multipart/form-data boundaries are predictable, and this can lead to injection into internal Documentconverter API calls.

OX App Suite through 7.10.6 allows OS Command Injection via a serialized Java class to the Documentconverter API.

OX App Suite through 7.10.6 allows XSS via appHandler in a deep link in an e-mail message.

OX App Suite through 7.10.6 allows OS Command Injection via Documentconverter (e.g., through an email attachment).

OX App Suite through 7.10.5 allows XSS via uuencoding in a multipart/alternative message.

OX App Suite through 7.10.5 allows XSS via a trailing control character such as the SCRIPT\t substring.

OX App Suite through 7.10.5 allows XSS via the class attribute of an element in an HTML e-mail signature.

OX App Suite through 7.10.5 allows XSS via NIFF (Notation Interchange File Format) data.