CVE-2026-28703
Stored XSS in ManageEngine Exchange Reporter Plus Mails Report
Publication date: 2026-04-03
Last updated on: 2026-04-03
Assigner: ManageEngine
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zohocorp | manageengine_exchange_reporter_plus | 5.8 |
| zohocorp | manageengine_exchange_reporter_plus | 5.8 |
| zohocorp | manageengine_exchange_reporter_plus | to 5.8 (exc) |
| zohocorp | manageengine_exchange_reporter_plus | 5.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28703 is a stored Cross-Site Scripting (XSS) vulnerability found in the "Mails Exchanged Between Users" report within the Reports module of ManageEngine Exchange Reporter Plus versions before build 5802.
This vulnerability allows an authenticated attacker with Exchange administrative privileges to inject and execute malicious scripts in the report.
When other users view the compromised report, the malicious scripts can execute with their privileges, potentially enabling unauthorized actions within Exchange Reporter Plus.
The issue was fixed in build 5802 by implementing proper input validation.
How can this vulnerability impact me? :
Exploitation of this vulnerability could allow an attacker to perform unauthorized actions within Exchange Reporter Plus by executing malicious scripts under the privileges of any user who views the affected report.
This could lead to compromise of sensitive information, manipulation of reports, or further attacks within the Exchange environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a stored Cross-Site Scripting (XSS) issue in the "Mails Exchanged Between Users" report of Exchange Reporter Plus versions before build 5802.
Detection involves verifying if your Exchange Reporter Plus installation is running a version prior to build 5802.
Since the vulnerability requires an authenticated attacker with Exchange administrative privileges to inject malicious scripts into the report, direct network detection commands are not specified.
No specific commands for detecting exploitation or presence of malicious scripts in reports are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update Exchange Reporter Plus to build 5802 or later, where the vulnerability has been fixed by implementing proper input validation.
Ensure that only trusted users have Exchange administrative privileges, as exploitation requires such privileges.
Apply the update via the service pack provided by ManageEngine as soon as possible to prevent exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in ManageEngine Exchange Reporter Plus allows an authenticated attacker with Exchange administrative privileges to inject and execute malicious scripts within the 'Mails Exchanged Between Users' report. This could enable unauthorized actions leveraging the privileges of any user who views the compromised report.
Such unauthorized access and potential data manipulation or exposure could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.
Therefore, until the vulnerability is patched by updating to build 5802 or later, organizations using affected versions may face increased risk of non-compliance due to potential data breaches or unauthorized data handling.