CVE-2025-5966 in Exchange Reporter Plus
Summary
by MITRE • 06/26/2025
Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Attachments by filename keyword report.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/30/2025
The vulnerability identified as CVE-2025-5966 affects Zohocorp ManageEngine Exchange Reporter Plus version 5722 and earlier, presenting a critical stored cross-site scripting flaw within the Attachments by filename keyword report functionality. This vulnerability resides in the web application's handling of user-supplied input within report generation contexts, where unfiltered user data is directly embedded into HTML responses without proper sanitization or encoding mechanisms. The affected component specifically processes filename parameters within attachment reports, creating an avenue for malicious actors to inject persistent malicious scripts that execute in the context of other users who view the affected reports.
The technical exploitation of this vulnerability follows a stored XSS pattern where an attacker crafts malicious input containing JavaScript code within filename parameters that are then processed and stored within the application's database or report generation system. When other users access the vulnerable report containing the malicious filename, the stored script executes in their browser context, potentially allowing for session hijacking, credential theft, or redirection to malicious sites. The vulnerability stems from inadequate input validation and output encoding practices within the application's report generation engine, where user-supplied filename data is not properly sanitized before being rendered in HTML contexts. This represents a classic CWE-79 vulnerability category, specifically classified as a stored cross-site scripting flaw where malicious code persists in the application's data storage and executes during subsequent user interactions.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to escalate privileges within the application environment and potentially compromise the broader Exchange infrastructure. An attacker could leverage this vulnerability to steal administrative sessions, access sensitive email attachments, or manipulate report data to hide malicious activities. The vulnerability affects all users who have access to the Exchange Reporter Plus application and view the affected filename keyword reports, creating a broad attack surface. Given the nature of Exchange environments, this vulnerability could facilitate further attacks targeting email systems, potentially enabling data exfiltration, privilege escalation, or persistence mechanisms within the organization's email infrastructure. The attack vector requires minimal user interaction beyond viewing the malicious report, making it particularly dangerous in environments where administrators regularly review email attachment reports.
Organizations should implement immediate mitigations including input validation and output encoding controls within the affected application components, ensuring all user-supplied data undergoes proper sanitization before being processed or displayed. The recommended approach involves implementing Content Security Policy headers to limit script execution, applying proper HTML encoding to all dynamic content, and restricting user input to predefined safe character sets. Additionally, organizations should consider implementing network-level protections such as web application firewalls to detect and block malicious payloads targeting this vulnerability. The vulnerability aligns with ATT&CK technique T1566.001 for credential access and T1071.004 for application layer protocol usage, potentially enabling attackers to establish persistent access to email environments. Regular security assessments and vulnerability scanning should be conducted to identify similar input validation flaws within the application's codebase, with a focus on report generation and user input handling components. The patching process should be prioritized immediately, with organizations monitoring for vendor-provided security updates and implementing compensating controls until full remediation is achieved.