Zohocorp ManageEngine Exchange Reporter Plus versions prior to 5802 contain a stored cross-site scripting vulnerability (CWE-79) in the Public Folder Client Permissions report. This vulnerability arises from improper input neutralization during web page generation, allowing attackers with at least low privileges and requiring user interaction to inject malicious scripts. The CVSS 3.1 base score is 7.3, reflecting network attack vector, low attack complexity, privileges required, user interaction, unchanged scope, and high confidentiality and integrity impacts.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the affected application, potentially leading to disclosure or modification of sensitive information. The availability of the system is not impacted. The vulnerability requires the attacker to have some privileges and the victim to interact with malicious content.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or temporary workaround is documented, users should monitor the vendor's updates closely and apply any patches once available. Until then, limit access to the affected report and exercise caution with user inputs in the Public Folder Client Permissions report.