If an attacker has access to the console for OpenKM (and is authenticated), a stored XSS vulnerability is reachable in the document “note” functionality.
[
{
"defaultStatus": "affected",
"product": "OpenKM",
"vendor": "OpenKM",
"versions": [
{
"status": "affected",
"version": "6.3.12"
}
]
}
]