Description
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Distribution Lists report.
Published: 2026-04-03
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

Zohocorp ManageEngine Exchange Reporter Plus versions prior to build 5802 contain a stored cross‑site scripting flaw in the Distribution Lists report. The vulnerability enables an attacker to inject malicious scripts into report data that is later rendered by the web interface, which could lead to session hijacking, defacement, or arbitrary code execution in the victim’s browser.

Affected Systems

All installations of ManageEngine Exchange Reporter Plus that use a build number older than 5802 are affected. Product versions listed in the Common Platform Enumeration entries, such as 5.8 and earlier releases, carry the flaw. Administrators should verify the currently installed build against the 5802 threshold and apply the vendor’s fix or upgrade accordingly.

Risk and Exploitability

The CVSS score of 7.3 reflects a high severity level, while the EPSS score of less than 1% indicates a low probability of active exploitation at this time. The flaw is not included in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector is through crafted input that populates the Distribution Lists report; an attacker who can submit or modify report data could cause trusted users’ browsers to execute injected scripts.

Generated by OpenCVE AI on April 3, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or upgrade ManageEngine Exchange Reporter Plus to version 5802 or later.
  • If an immediate upgrade is not feasible, limit access to the Distribution Lists report or disable the feature until a patched version is available.
  • Ensure that only authorized and trusted users have permissions for the report functionality and monitor the web interface for unexpected script execution.

Generated by OpenCVE AI on April 3, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:-:*:*:*:*:*:*
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5800:*:*:*:*:*:*
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5801:*:*:*:*:*:*

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Description Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Distribution Lists report.
Title Stored XSS Vulnerability
First Time appeared Zohocorp
Zohocorp manageengine Exchange Reporter Plus
Weaknesses CWE-79
CPEs cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*
Vendors & Products Zohocorp
Zohocorp manageengine Exchange Reporter Plus
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Zohocorp Manageengine Exchange Reporter Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: Zohocorp

Published:

Updated: 2026-04-04T03:55:21.860Z

Reserved: 2026-03-13T11:43:54.690Z

Link: CVE-2026-28754

cve-icon Vulnrichment

Updated: 2026-04-03T12:10:26.342Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T11:17:05.543

Modified: 2026-04-03T18:52:53.603

Link: CVE-2026-28754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:10Z

Weaknesses