Description
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Non-Owner Mailbox Permission report.
Published: 2026-04-03
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS enabling script execution in reports
Action: Immediate Patch
AI Analysis

Impact

Zohocorp ManageEngine Exchange Reporter Plus contains a stored cross‑site scripting flaw in the Non‑Owner Mailbox Permission report. An attacker can embed malicious JavaScript that is preserved and displayed to any user who views the report, resulting in arbitrary script execution within the victim’s browser. This allows theft of session cookies, injection of forged requests, or further compromise of system integrity.

Affected Systems

The flaw affects all ManageEngine Exchange Reporter Plus installations running versions earlier than 5802. The affected vendor is Zohocorp, and the CPE identifiers correspond to the product in question.

Risk and Exploitability

The CVSS score of 7.3 indicates a high‑severity vulnerability. The EPSS score is not available and the issue is not listed in the CISA KEV catalog, suggesting no widely known public exploit yet. Exploitation requires an authenticated attacker who can submit data to the report, likely limited to privileged users. However, the stored payload delivery combined with possible privilege escalation makes the risk significant, warranting prompt remediation.

Generated by OpenCVE AI on April 3, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch or upgrade to version 5802 or newer
  • Restrict editing rights to the Non‑Owner Mailbox Permission report so only trusted administrators can create or modify entries
  • Disable or delete the report feature if the product is not in active use
  • Conduct an audit of recent report creation for malicious content
  • Monitor web application logs for unexpected script behaviors or failed access attempts

Generated by OpenCVE AI on April 3, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:-:*:*:*:*:*:*
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5800:*:*:*:*:*:*
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5801:*:*:*:*:*:*

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Non-Owner Mailbox Permission report.
Title Stored XSS Vulnerability
First Time appeared Zohocorp
Zohocorp manageengine Exchange Reporter Plus
Weaknesses CWE-79
CPEs cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*
Vendors & Products Zohocorp
Zohocorp manageengine Exchange Reporter Plus
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Zohocorp Manageengine Exchange Reporter Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: Zohocorp

Published:

Updated: 2026-04-03T12:26:35.401Z

Reserved: 2026-03-13T10:03:04.192Z

Link: CVE-2026-4108

cve-icon Vulnrichment

Updated: 2026-04-03T12:26:31.663Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T12:16:19.207

Modified: 2026-04-03T18:23:54.213

Link: CVE-2026-4108

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:16:38Z

Weaknesses