Description
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Public Folder Client Permissions report.
Published: 2026-04-03
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The flaw is a stored cross‑site scripting vulnerability in the Public Folder Client Permissions report of Zohocorp ManageEngine Exchange Reporter Plus. An attacker can embed malicious HTML or JavaScript into the report data. When a user opens the report, the browser renders the content and executes the injected script. Based on the description, it is inferred that the script runs within the victim’s browser context.

Affected Systems

All installations of Zohocorp ManageEngine Exchange Reporter Plus with build numbers before 5802 are affected, while versions 5802 and newer are not. No further sub‑version detail is provided.

Risk and Exploitability

The CVSS v3.1 base score of 7.3 indicates high severity, the EPSS score is below 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited exploitation to date. It is inferred that the attack vector is a web interface that accepts input from users. Because stored payloads are delivered to each user who views the report, the potential impact can range from a single user to the entire organization.

Generated by OpenCVE AI on April 3, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zohocorp ManageEngine Exchange Reporter Plus to version 5802 or later
  • If an upgrade is not feasible, limit access to the Public Folder Client Permissions report to trusted administrative users
  • Monitor user activity for unexpected script execution and review audit logs for suspicious behavior
  • Check the ManageEngine website regularly for further security updates

Generated by OpenCVE AI on April 3, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:-:*:*:*:*:*:*
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5800:*:*:*:*:*:*
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5801:*:*:*:*:*:*

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Public Folder Client Permissions report.
Title Stored XSS Vulnerability
First Time appeared Zohocorp
Zohocorp manageengine Exchange Reporter Plus
Weaknesses CWE-79
CPEs cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*
Vendors & Products Zohocorp
Zohocorp manageengine Exchange Reporter Plus
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Zohocorp Manageengine Exchange Reporter Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: Zohocorp

Published:

Updated: 2026-04-03T12:47:41.863Z

Reserved: 2026-03-10T13:16:19.257Z

Link: CVE-2026-3880

cve-icon Vulnrichment

Updated: 2026-04-03T12:47:38.909Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T12:16:18.933

Modified: 2026-04-03T18:27:41.177

Link: CVE-2026-3880

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:16:41Z

Weaknesses