CVE-2025-5366
BaseFortify
Publication date: 2025-06-26
Last updated on: 2025-09-29
Assigner: ManageEngine
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zohocorp | manageengine_exchange_reporter_plus | to 5.7 (exc) |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-5366 is a high-severity stored Cross-Site Scripting (XSS) vulnerability in ManageEngine Exchange Reporter Plus versions 5722 and below. It specifically affects the 'Folder-wise Read Mails with Subject' report, allowing attackers to inject malicious scripts that are stored and executed within the application. This can lead to unauthorized actions within the software. [1]
How can this vulnerability impact me? :
Exploitation of this vulnerability could allow attackers to create privileged accounts and gain unauthorized access to the Exchange Reporter Plus application. This can compromise the security of the system, potentially leading to data breaches or unauthorized monitoring and reporting activities. [1]
What immediate steps should I take to mitigate this vulnerability?
Users should immediately update Exchange Reporter Plus to build 5723 or later by downloading and applying the latest service pack following the official instructions. This update fixes the stored XSS vulnerability present in versions up to build 5722. [1]