CVE-2025-5343: 
Zoho ManageEngine Exchange Reporter Plus vulnerability analysis and mitigation

Zohocorp ManageEngine Exchange Reporter Plus versions through 5721 are vulnerable to Stored Cross Site Scripting (XSS) in the Instant Search option. The vulnerability was discovered by Ngockhanhc311 from FPT NightWolf and was fixed in build 5722 released on May 29, 2025 (ManageEngine Advisory).

The vulnerability is classified as a Stored Cross Site Scripting (CWE-79) issue affecting the Instant Search function within the Content Search module. The vulnerability has received a CVSS v3.1 base score of 5.4 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) from NVD, while ManageEngine assessed it with a score of 6.3 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N) (NVD).

According to the vendor advisory, this vulnerability could allow attackers to execute malicious scripts, potentially granting them unauthorized access to the application (ManageEngine Advisory).

Given the severity of this vulnerability, customers are strongly advised to update Exchange Reporter Plus to build 5722 or later. The update can be applied by downloading and installing the latest service pack from the vendor's website. Users experiencing difficulties with the update process can contact product support at support@exchangereporterplus.com (ManageEngine Advisory).