Executive Summary

CVE-2026-3880 is a stored Cross-Site Scripting (XSS) vulnerability found in ManageEngine Exchange Reporter Plus, specifically in the Public Folder Client Permissions report within the Reports module.

This vulnerability affects versions up to build 5801 and was fixed in build 5802. It allows an authenticated attacker with Exchange administrative privileges to inject and execute malicious scripts.

When exploited, the attacker can perform unauthorized actions by leveraging the privileges of any user who views the compromised report.

Useful 0 Not Useful 0

Impact Analysis

Exploiting this vulnerability could allow an attacker to execute malicious scripts within Exchange Reporter Plus, potentially leading to unauthorized actions being performed under the identity of legitimate users.

Since the attacker needs Exchange administrative privileges to inject the script, the impact includes misuse of administrative functions and possible compromise of sensitive Exchange data.

Users who access the compromised report may have their sessions or data manipulated by the attacker.

Useful 0 Not Useful 0

Detection Guidance

The vulnerability is a stored Cross-Site Scripting (XSS) issue in the Public Folder Client Permissions report of Exchange Reporter Plus versions before build 5802.

Detection involves verifying the version of Exchange Reporter Plus installed on your system to see if it is version 5801 or earlier.

Since this is an application-level vulnerability related to stored XSS in a specific report, network-level detection commands are not directly applicable.

To check the installed version, you can use commands or methods specific to your server environment, such as querying the application version via its interface or checking installed package versions.

• For Windows servers, you might check the version via the Control Panel's Programs and Features or by inspecting the installation directory for version files.
• Alternatively, if Exchange Reporter Plus provides a command-line interface or API, use it to query the current build number.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation step is to update Exchange Reporter Plus to build 5802 or later, where the vulnerability has been fixed by implementing proper input validation.

Ensure that only trusted and authenticated Exchange administrators have access to the Public Folder Client Permissions report to reduce the risk of exploitation.

Apply the appropriate service pack or update provided by ManageEngine as soon as possible.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-3880 is a stored Cross-Site Scripting (XSS) vulnerability in Exchange Reporter Plus that allows an authenticated attacker with administrative privileges to inject and execute malicious scripts. This could lead to unauthorized actions within the application, potentially compromising sensitive data or user accounts.

Since Exchange Reporter Plus is used for monitoring, reporting, and auditing Exchange Server environments, including compliance reporting, exploitation of this vulnerability could undermine the integrity and confidentiality of compliance-related data. This may impact an organization's ability to meet regulatory requirements such as GDPR or HIPAA, which mandate strict controls over data access and protection.

Therefore, failure to patch this vulnerability could result in non-compliance risks due to potential unauthorized access or manipulation of compliance reports and sensitive information.

Useful 0 Not Useful 0