Zohocorp ManageEngine Exchange Reporter Plus versions prior to 5802 are affected by a stored XSS vulnerability (CWE-79) in the 'Mails Exchanged Between Users' report. This vulnerability allows an attacker with low privileges and requiring user interaction to inject malicious scripts that execute in the context of other users viewing the report. The CVSS 3.1 base score is 7.3, reflecting network attack vector, low attack complexity, required privileges, user interaction, and high impact on confidentiality and integrity. No patch or official remediation level has been provided by the vendor as of the published date.

Successful exploitation can lead to unauthorized disclosure of sensitive information and modification of data within the affected application context. The vulnerability does not impact system availability. The attack requires user interaction and some privileges, limiting but not eliminating risk. There are no known active exploits reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, limit exposure by restricting access to the affected report to trusted users only and consider applying web application firewall (WAF) rules to detect and block XSS payloads targeting this component. Monitor vendor communications for updates on patches or official mitigations.