Description
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Public Folder Client Permissions report.
Published: 2026-04-03
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the Public Folder Client Permissions report of Zohocorp ManageEngine Exchange Reporter Plus. The flaw allows an attacker to embed malicious scripts that run in the browsers of users who view the report, potentially enabling session hijacking, data theft, or defacement. The weakness is classified as CWE‑79.

Affected Systems

Zohocorp ManageEngine Exchange Reporter Plus, all releases prior to 5802, including the 5.8.x series up to 5801. These versions contain the vulnerable Public Folder Client Permissions report functionality.

Risk and Exploitability

The issue carries a CVSS score of 7.3, indicating high severity, while the EPSS score is below 1%, suggesting a low likelihood of exploitation. It is not listed in the CISA KEV catalog. The likely attack vector involves an authenticated or partially authenticated user inserting malicious payloads into the report that are subsequently rendered to other users who access the report. Given its impact on confidentiality and integrity within affected systems, the risk is considered high for environments that allow report generation by users with sufficient privileges.

Generated by OpenCVE AI on April 3, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-provided update to version 5802 or later. If an upgrade cannot be performed immediately, restrict or disable access to the Public Folder Client Permissions report for all but trusted administrators. Implement output sanitization or a strict content security policy to block execution of injected scripts from the report.

Generated by OpenCVE AI on April 3, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:-:*:*:*:*:*:*
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5800:*:*:*:*:*:*
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5801:*:*:*:*:*:*

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Public Folder Client Permissions report.
Title Stored XSS Vulnerability
First Time appeared Zohocorp
Zohocorp manageengine Exchange Reporter Plus
Weaknesses CWE-79
CPEs cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*
Vendors & Products Zohocorp
Zohocorp manageengine Exchange Reporter Plus
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Zohocorp Manageengine Exchange Reporter Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: Zohocorp

Published:

Updated: 2026-04-04T03:55:29.128Z

Reserved: 2026-03-10T13:16:19.257Z

Link: CVE-2026-3880

cve-icon Vulnrichment

Updated: 2026-04-03T12:47:38.909Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T12:16:18.933

Modified: 2026-04-03T18:27:41.177

Link: CVE-2026-3880

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:06Z

Weaknesses