ManageEngine Exchange Reporter Plus contains a stored XSS flaw in the Permissions Based on Mailboxes report for all releases prior to 5802. An attacker able to inject JavaScript into the report can have that script execute in the web browser of any user who views the report, enabling cookie theft, session hijacking, defacement or further malicious activity. This vulnerability is a typical example of CWE‑79, where client‑side code is injected and used without proper sanitization.

The affected software is Zohocorp’s ManageEngine Exchange Reporter Plus. Versions before 5802 are known to be vulnerable; this includes the 5.8 series up to the 5801 patch level as reflected in the CMEs. Administrative or end‑user accounts that can request the Permissions Based on Mailboxes report are at risk.

The CVSS base score of 7.3 indicates high risk, but the exploit probability is unknown because EPSS data is not available in the public record. The vulnerability has not yet appeared in the CISA KEV catalog, suggesting no confirmed production exploitation at this time. Attackers would need authenticated access to the report page, which is typically limited to privileged roles; however, once used, the payload runs in the victim’s context and can exfiltrate data or perform actions on the user’s behalf. It is recommended that defenders prioritize remediation.