CVE-2025-57244 – OpenKM Community Edition 6.3.12 has a stored cr... (How to Fix)

Q: What is the severity of CVE-2025-57244?

CVE-2025-57244 has a CVSS score of 5.4 (MEDIUM). OpenKM Community Edition 6.3.12 has a stored cross-site scripting (XSS) vulnerability in the user account creation interface. Attackers can inject malicious scripts into the Name field or bypass frontend validation in the Email field using encoded script tags. This affects all users of OpenKM Community Edition 6.3.12 who have access to create user accounts.

📋 TL;DR

OpenKM Community Edition 6.3.12 has a stored cross-site scripting (XSS) vulnerability in the user account creation interface. Attackers can inject malicious scripts into the Name field or bypass frontend validation in the Email field using encoded script tags. This affects all users of OpenKM Community Edition 6.3.12 who have access to create user accounts.

💻 Affected Systems

Products:

OpenKM Community Edition

Versions: 6.3.12

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation. Only affects systems where user account creation is enabled.

📦 What is this software?

Openkm by Openkm

View all CVEs affecting Openkm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform account takeover, deface the application, or redirect users to malicious sites, potentially leading to complete system compromise.

🟠

Likely Case

Attackers with access to create user accounts could inject malicious scripts that execute in other users' browsers, potentially stealing session cookies or performing actions on behalf of authenticated users.

🟢

If Mitigated

With proper input validation and output encoding, the malicious scripts would be neutralized, preventing execution in user browsers.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to create user accounts. The vulnerability is well-documented with public proof-of-concept available in the GitHub references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Implement server-side input validation and output encoding for all user inputs in the account creation interface.

🔧 Temporary Workarounds

Implement Server-Side Input Validation

all

Add server-side validation to sanitize and validate Name and Email fields, rejecting any input containing script tags or encoded script tags.

Enable Content Security Policy (CSP)

all

Implement a strict Content Security Policy header to prevent execution of inline scripts and restrict script sources.

Add to web server configuration: Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

Disable user account creation functionality if not required
Implement a web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Attempt to create a user account with script tags in the Name field (e.g., <script>alert('XSS')</script>) or encoded script tags in the Email field via POST request modification.

Check Version:

Check OpenKM version in administration interface or via application files

Verify Fix Applied:

Test that script tags in Name field are rejected and encoded script tags in Email field are properly sanitized. Verify that malicious scripts do not execute when viewing user accounts.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to user creation endpoint with script-like content
Multiple failed user creation attempts with suspicious inputs

Network Indicators:

HTTP requests containing script tags or encoded script tags in user creation parameters

SIEM Query:

source="web_server" AND ("<script>" OR "%3Cscript%3E") AND uri="/user/create"

📊 Metadata

CVE ID: CVE-2025-57244

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (11.6th percentile)

Published: November 5, 2025

Last Updated: November 7, 2025

🔗 References

https://github.com/wolffangsecurity/CVEs/blob/main/Stored%20XSS%20via%20Input%20Fields%20with%20Inconsistent%20Client-Side%20and%20Server-Side%20Validation%20Writeup.md Broken Link
https://github.com/wolffangsecurity/CVEs/tree/main/CVE-2025-57244 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-57244, you might also want to check these: