Vulnérabilité XSS Persistante (Stored XSS)
Plateforme
manageengine
Composant
manageengine-exchange-reporter-plus
Corrigé dans
5802
CVE-2026-28756 is a stored Cross-Site Scripting (XSS) vulnerability discovered in ManageEngine Exchange Reporter Plus. This vulnerability allows an attacker to inject malicious scripts into the Permissions based on Distribution Groups report, potentially leading to session hijacking or defacement. The vulnerability affects versions prior to 5802, and a patch is available in version 5802.
Impact et Scénarios d'Attaquetraduction en cours…
Successful exploitation of CVE-2026-28756 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can be leveraged to steal session cookies, redirect users to malicious websites, or modify the content displayed within the Exchange Reporter Plus interface. The impact is particularly severe if the affected system is used by privileged users, as an attacker could potentially gain access to sensitive data or compromise the entire system. The stored nature of the XSS means the payload persists until removed, potentially affecting multiple users.
Contexte d'Exploitationtraduction en cours…
CVE-2026-28756 was publicly disclosed on 2026-04-03. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability's severity is rated HIGH (CVSS 7.3), indicating a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Qui Est à Risquetraduction en cours…
Organizations utilizing ManageEngine Exchange Reporter Plus for email reporting and analysis are at risk, particularly those relying on the Permissions based on Distribution Groups report. Shared hosting environments where multiple users share the same Exchange Reporter Plus instance are especially vulnerable, as an attacker could potentially compromise the entire environment through a single user's session.
Étapes de Détectiontraduction en cours…
• manageengine / web:
curl -s -X POST "<exchange_reporter_plus_url>/report/permissions_based_on_distribution_groups?param=<xss_payload>" | grep -i "<xss_payload>"• generic web:
curl -s -X POST "<exchange_reporter_plus_url>/report/permissions_based_on_distribution_groups?param=<xss_payload>" | grep -i "<xss_payload>"Chronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.02% (percentile 4%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Faible — tout compte utilisateur valide est suffisant.
- User Interaction
- Requise — la victime doit ouvrir un fichier, cliquer sur un lien ou visiter une page.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Aucun — aucun impact sur la disponibilité.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2026-28756 is to upgrade ManageEngine Exchange Reporter Plus to version 5802 or later. If upgrading immediately is not possible, consider implementing input validation and output encoding on the Permissions based on Distribution Groups report to sanitize user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review and restrict access to the Permissions based on Distribution Groups report to limit potential exposure.
Comment corrigertraduction en cours…
Actualice ManageEngine Exchange Reporter Plus a la versión 5802 o posterior. Esta actualización corrige la vulnerabilidad XSS almacenada en el informe de Permisos basados en Grupos de Distribución.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2026-28756 — XSS in ManageEngine Exchange Reporter Plus?
CVE-2026-28756 is a stored XSS vulnerability in ManageEngine Exchange Reporter Plus versions before 5802, allowing attackers to inject malicious scripts via the Permissions based on Distribution Groups report.
Am I affected by CVE-2026-28756 in ManageEngine Exchange Reporter Plus?
If you are using ManageEngine Exchange Reporter Plus versions 0–5802, you are potentially affected by this vulnerability. Upgrade to version 5802 to mitigate the risk.
How do I fix CVE-2026-28756 in ManageEngine Exchange Reporter Plus?
The recommended fix is to upgrade ManageEngine Exchange Reporter Plus to version 5802 or later. Consider input validation and WAF rules as temporary mitigations.
Is CVE-2026-28756 being actively exploited?
As of the current assessment, there are no confirmed reports of active exploitation of CVE-2026-28756, but the vulnerability is publicly known and could be targeted.
Where can I find the official ManageEngine advisory for CVE-2026-28756?
Please refer to the official ManageEngine security advisory for detailed information and updates regarding CVE-2026-28756: [https://www.manageengine.com/products/exchange-reporter-plus/security-advisories.html]
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.