Zohocorp ManageEngine Exchange Reporter Plus versions prior to 5802 are affected by a stored cross-site scripting vulnerability (CWE-79) in the Non-Owner Mailbox Permission report. This vulnerability allows an attacker with limited privileges to inject malicious scripts that are stored and later executed when the report is viewed, potentially leading to high impact on confidentiality and integrity. The CVSS v3.1 base score is 7.3, reflecting network attack vector, low attack complexity, required privileges, and user interaction. No vendor advisory or patch information is currently available, and the product is not a cloud service.

Successful exploitation of this vulnerability can result in the execution of arbitrary scripts in the context of the affected application, leading to unauthorized access to sensitive information and potential modification of data. The CVSS score indicates a high impact on confidentiality and integrity, but no impact on availability. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should exercise caution with user inputs related to the Non-Owner Mailbox Permission report and consider restricting access to this feature to trusted users only. Monitor vendor communications for updates on patches or official mitigations.