Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-5366

Summary
Assigner-Zohocorp
Assigner Org ID-0fc0942c-577d-436f-ae8e-945763c79b02
Published At-26 Jun, 2025 | 12:21
Updated At-26 Jun, 2025 | 12:54
Rejected At-
Credits

Stored XSS

Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Folder-wise read mails with subject report.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Zohocorp
Assigner Org ID:0fc0942c-577d-436f-ae8e-945763c79b02
Published At:26 Jun, 2025 | 12:21
Updated At:26 Jun, 2025 | 12:54
Rejected At:
▼CVE Numbering Authority (CNA)
Stored XSS

Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Folder-wise read mails with subject report.

Affected Products
Vendor
ManageEngine (Zoho Corporation Pvt. Ltd.)ManageEngine
Product
Exchange Reporter Plus
Default Status
unaffected
Versions
Affected
  • From 0 through 5722 (5722)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.18.1HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Ngockhanhc311 from FPT NightWolf
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-5366.html
N/A
Hyperlink: https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-5366.html
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:0fc0942c-577d-436f-ae8e-945763c79b02
Published At:26 Jun, 2025 | 13:15
Updated At:26 Jun, 2025 | 18:57

Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Folder-wise read mails with subject report.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.1HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-79Secondary0fc0942c-577d-436f-ae8e-945763c79b02
CWE ID: CWE-79
Type: Secondary
Source: 0fc0942c-577d-436f-ae8e-945763c79b02
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-5366.html0fc0942c-577d-436f-ae8e-945763c79b02
N/A
Hyperlink: https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-5366.html
Source: 0fc0942c-577d-436f-ae8e-945763c79b02
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

52Records found
CVE-2021-26628
Matching Score-4
Assigner-KrCERT/CC
ShareView Details
Matching Score-4
Assigner-KrCERT/CC
CVSS Score-8.1||HIGH
EPSS-0.30% / 52.84%
||
7 Day CHG~0.00%
Published-26 Apr, 2022 | 18:21
Updated-03 Aug, 2024 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MaxBoard XSS and File Upload Vulnerability

Insufficient script validation of the admin page enables XSS, which causes unauthorized users to steal admin privileges. When uploading file in a specific menu, the verification of the files is insufficient. It allows remote attackers to upload arbitrary files disguising them as image files.

Action-Not Available
Vendor-maxbNo Vendor InformationLinux Kernel Organization, Inc
Product-linux_kernelmaxboardMaxBoard
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2021-21422
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-1.09% / 77.03%
||
7 Day CHG~0.00%
Published-21 Jun, 2021 | 18:45
Updated-03 Aug, 2024 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS Vulnerability in mongo-express

mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however this needs admin interaction on cell. 2: Data cells identified as media will be rendered as media, without being sanitized. Example of different renders: image, audio, video, etc. As an example of type 1 attack, an unauthorized user who only can send a large amount of data in a field of a document may use a payload with embedded javascript. This could send an export of a collection to the attacker without even an admin knowing. Other types of attacks such as dropping a database\collection are possible.

Action-Not Available
Vendor-MongoDB, Inc.
Product-mongo-expressmongo-express
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • Next
Details not found