Zohocorp ManageEngine Exchange Reporter Plus versions prior to 5802 suffer from a stored cross-site scripting vulnerability (CWE-79) in the Equipment Mailbox Details report. This vulnerability allows an attacker with at least low privileges and user interaction to inject malicious scripts that execute in the context of other users' browsers, potentially compromising confidentiality and integrity of data. The CVSS v3.1 base score is 7.3, reflecting network attack vector, low attack complexity, required privileges, and user interaction. No official patch or vendor advisory details on remediation are currently available.

Successful exploitation of this vulnerability can lead to unauthorized disclosure and modification of sensitive information within the affected application context. It does not impact system availability. The vulnerability requires an attacker to have some privileges and for a user to interact with malicious content. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should exercise caution with input in the Equipment Mailbox Details report and consider restricting access or applying temporary mitigations as recommended by the vendor once available.