Description
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Non-Owner Mailbox Permission report.
Published: 2026-04-03
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Client‑Side XSS
Action: Patch
AI Analysis

Impact

Zohocorp ManageEngine Exchange Reporter Plus contains a stored cross‑site scripting flaw in the Non‑Owner Mailbox Permission report. If an attacker manages to insert malicious script into the report, the script will execute when a user opens the report, potentially enabling the attacker to execute arbitrary JavaScript in the victim’s browser. Based on the nature of stored XSS, this could lead to session cookie theft, phishing, or other client‑side attacks, though the CVE description does not explicitly list these outcomes.

Affected Systems

All installations of ManageEngine Exchange Reporter Plus released before version 5802, including releases 5.8, 5800 and 5801, are affected.

Risk and Exploitability

The CVSS score of 7.3 indicates high severity. The EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to inject malicious content into the report and for a user with permission to view the report to subsequently access it, so the risk is confined to authenticated users with view rights to the Non‑Owner Mailbox Permission report – this is inferred from the stored nature of the vulnerability.

Generated by OpenCVE AI on April 3, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to ManageEngine Exchange Reporter Plus version 5802 or later.
  • Verify that no older vulnerable versions are deployed in production.
  • Limit access to the Non‑Owner Mailbox Permission report to trusted administrators while the patch is pending.
  • Monitor reports for unexpected script content and anomalous user activity.
  • Apply future vendor patches promptly when they become available.

Generated by OpenCVE AI on April 3, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:-:*:*:*:*:*:*
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5800:*:*:*:*:*:*
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5801:*:*:*:*:*:*

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Non-Owner Mailbox Permission report.
Title Stored XSS Vulnerability
First Time appeared Zohocorp
Zohocorp manageengine Exchange Reporter Plus
Weaknesses CWE-79
CPEs cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*
Vendors & Products Zohocorp
Zohocorp manageengine Exchange Reporter Plus
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Zohocorp Manageengine Exchange Reporter Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: Zohocorp

Published:

Updated: 2026-04-04T03:55:28.021Z

Reserved: 2026-03-13T10:03:04.192Z

Link: CVE-2026-4108

cve-icon Vulnrichment

Updated: 2026-04-03T12:26:31.663Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T12:16:19.207

Modified: 2026-04-03T18:23:54.213

Link: CVE-2026-4108

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:04Z

Weaknesses