High

Analysis Summary

CVE-2025-5966 CVSS:8.1

Zoho ManageEngine Exchange reporter Plus is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Attachments by File Name Keyword report. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVE-2025-5366 CVSS:8.1

Zoho ManageEngine Exchange reporter Plus is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Attachments by the Folder-wise Read Mails with Subject report. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Impact

• Cross-Site Scripting

Indicators of Compromise

CVE

• CVE-2025-5966

• CVE-2025-5366

Affected Vendors

Remediation

Upgrade to the latest version of Exchange Reporter Plus, available from the Zoho ManageEngine Website.

CVE-2025-5966

CVE-2025-5366