See support ticket https://mynms.opennms.com/Ticket/Display.html?id=3040
There is a reflected XSS vulnerability in alarm/details.htm which can be triggered by entering <script>window.alert("gotcha!")</script> as the alarm ID in the search box of alarm/index.jsp.
There is an additional XSS vulnerability that manifests throughout the webapp if a node's label contains a <script> tag. An untrusted actor with PROVISION_ROLE could easily exploit this vector.