Zohocorp ManageEngine Exchange Reporter Plus prior to version 5802 contains a stored XSS vulnerability (CWE-79) in the Folder Message Count and Size report. This vulnerability arises from improper input neutralization during web page generation, allowing attackers with at least low privileges and requiring user interaction to inject malicious scripts. The CVSS 3.1 score is 7.3 (high), reflecting network attack vector, low attack complexity, required privileges, user interaction, and high impact on confidentiality and integrity.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the affected application, potentially leading to unauthorized disclosure or modification of sensitive information. The availability of the system is not impacted. The vulnerability requires the attacker to have some privileges and user interaction to trigger the exploit.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the affected report to trusted users only and consider applying web application firewall (WAF) rules to detect and block XSS payloads targeting this component. Monitor vendor communications for updates on patches or official mitigations.