Stored XSS Kwetsbaarheid

Successful exploitation of CVE-2026-28754 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can be leveraged to steal session cookies, redirect users to malicious websites, or modify the content of the application. Given that Exchange Reporter Plus often handles sensitive email data, a compromised session could expose confidential information. The impact is particularly severe if the application is used by privileged users, as an attacker could potentially gain administrative access to the system.

Organizations utilizing ManageEngine Exchange Reporter Plus versions 0–5802, particularly those handling sensitive email data or with limited security controls, are at significant risk. Shared hosting environments where multiple users share the same Exchange Reporter Plus instance are also particularly vulnerable.

• manageengine: Examine Exchange Reporter Plus logs for unusual JavaScript execution patterns or suspicious URL parameters in Distribution Lists report requests.

Get-WinEvent -LogName Application -FilterXPath "/Event[System[Provider[@Name='ManageEngine Exchange Reporter Plus']]]" | Where-Object {$_.Message -match "Distribution Lists report"}

1. 2026-04-03Disclosure

   disclosure

1. Gereserveerd2026-03-13
2. Gepubliceerd2026-04-03
3. Gewijzigd2026-04-04
4. EPSS bijgewerkt2026-04-10

The primary mitigation for CVE-2026-28754 is to upgrade to version 5802 or later of ManageEngine Exchange Reporter Plus. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the Distribution Lists report to sanitize user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update WAF rules to ensure they are effective against known XSS attack patterns.