Zohocorp ManageEngine Exchange Reporter Plus versions prior to 5802 are affected by a stored cross-site scripting (CWE-79) vulnerability in the Distribution Lists report feature. This vulnerability arises from improper input neutralization during web page generation, allowing attackers with low privileges and requiring user interaction to inject malicious scripts. The CVSS 3.1 base score is 7.3, reflecting network attack vector, low attack complexity, required privileges, user interaction, and high confidentiality and integrity impact without availability impact. No patch or official remediation level has been published by Zohocorp as of the data provided.

Successful exploitation of this vulnerability can lead to the execution of arbitrary scripts in the context of the affected application, potentially allowing attackers to steal sensitive information or perform unauthorized actions on behalf of legitimate users. The confidentiality and integrity of data are at high risk, while availability is not impacted. The vulnerability requires user interaction and low privileges, which somewhat limits exploitation scope. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, organizations should consider restricting access to the Distribution Lists report feature to trusted users only and apply any available workarounds recommended by Zohocorp. Monitor vendor communications closely for updates regarding patches or mitigations.