CVE-2025-5966: 
Zoho ManageEngine Exchange Reporter Plus vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in ManageEngine Exchange Reporter Plus versions 5722 and below, specifically in the Attachments by File Name Keyword report feature. The vulnerability was assigned CVE-2025-5966 and was fixed in build 5723, released on June 23, 2025 (ManageEngine Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

If successfully exploited, this vulnerability could allow attackers to create a privileged account and gain access to the application, potentially compromising the security of the Exchange Reporter Plus installation (ManageEngine Advisory).

ManageEngine has released build 5723 to address this vulnerability. Users are strongly advised to update their Exchange Reporter Plus installation immediately to the latest build. The update can be applied by downloading the latest service pack and following the provided installation instructions (ManageEngine Advisory).