Description
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Equipment Mailbox Details report.
Published: 2026-04-03
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Upgrade
AI Analysis

Impact

A vulnerability in Zohocorp ManageEngine Exchange Reporter Plus allows an attacker to store malicious JavaScript code in the Equipment Mailbox Details report. When a user opens the report, the script runs in the browser, providing the attacker with client‑side code execution. This flaw is identified as CWE‑79 and does not include additional exploitation capabilities beyond what the injected script can perform.

Affected Systems

The issue affects Zohocorp ManageEngine Exchange Reporter Plus from all releases prior to build 5802, including the 5.8 version series and the 5800 and 5801 builds.

Risk and Exploitability

The CVSS score of 7.3 signals high severity, while the EPSS score below 1% indicates a low likelihood of exploitation in the wild. It is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that an attacker likely requires authenticated access to create or edit the Equipment Mailbox Details report; once a payload is stored, it is presented to any user who views the report, providing a persistent cross‑site scripting vector.

Generated by OpenCVE AI on April 3, 2026 at 23:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of ManageEngine Exchange Reporter Plus (5802 or newer) to eliminate the flaw.
  • Restrict permissions for creating or editing Equipment Mailbox Details reports to trusted administrators.

Generated by OpenCVE AI on April 3, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:-:*:*:*:*:*:*
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5800:*:*:*:*:*:*
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5801:*:*:*:*:*:*

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Equipment Mailbox Details report.
Title Stored XSS Vulnerability
First Time appeared Zohocorp
Zohocorp manageengine Exchange Reporter Plus
Weaknesses CWE-79
CPEs cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*
Vendors & Products Zohocorp
Zohocorp manageengine Exchange Reporter Plus
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Zohocorp Manageengine Exchange Reporter Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: Zohocorp

Published:

Updated: 2026-04-04T03:55:25.671Z

Reserved: 2026-03-10T13:16:05.939Z

Link: CVE-2026-3879

cve-icon Vulnrichment

Updated: 2026-04-03T12:48:05.473Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T12:16:18.743

Modified: 2026-04-03T18:49:50.463

Link: CVE-2026-3879

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:07Z

Weaknesses