Zoho Corp Manageengine Exchange Reporter Plus

ManageEngine Exchange Reporter Plus Stored XSS via Custom Report
CVE-2025-7633 7.3 - High - November 11, 2025

Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Custom report.

XSS

Zohocorp ManageEngine Exchange Reporter Plus Stored XSS in Public Folders
CVE-2025-7632 7.3 - High - November 11, 2025

Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Public Folders report.

XSS

ManageEngine ERP XSS via Folder Message Count/Size Report
CVE-2025-7430 7.3 - High - November 11, 2025

Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Folder Message Count and Size report.

XSS

Stored XSS in Exchange Reporter Plus Mails Deleted/Moved Report
CVE-2025-7429 7.3 - High - November 11, 2025

Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Mails Deleted or Moved report.

XSS

Zoho ManageEngine Exchange Reporter Plus XSS in Reports Module (CVE-2025-5347)
CVE-2025-5347 6.3 - Medium - October 30, 2025

Zohocorp ManageEngine Exchange Reporter Plus versions before 5723 are vulnerable to Stored Cross Site Scripting in the reports module.

XSS

Stored XSS in ManageEngine Exchange Reporter Plus Instant Search
CVE-2025-5343 6.3 - Medium - October 30, 2025

Zohocorp ManageEngine Exchange Reporter Plus versions through 5721 are vulnerable to Stored Cross Site Scripting in the Instant Search option.

XSS

ManageEngine Exchange Reporter Plus ReDOS in Search Module
CVE-2025-5342 4.3 - Medium - October 30, 2025

Zohocorp ManageEngine Exchange Reporter Plus through 5721 are vulnerable to ReDOS vulnerability in the search module.

Resource Exhaustion

RCE in Content Search of ManageEngine Exchange Reporter Plus (v<=5721)
CVE-2025-3835 - June 09, 2025

Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior are vulnerable to Remote code execution in the Content Search module.

SQL Injection in ManageEngine Exchange Reporter Plus Reports
CVE-2024-9459 8.8 - High - November 05, 2024

Zohocorp ManageEngine Exchange Reporter Plus versions 5718 and prior are vulnerable to authenticated SQL Injection in reports module.

SQL Injection

SQL Injection in Zohocorp ME Exchange Reporter Plus 5715
CVE-2024-6204 8.1 - High - August 30, 2024

Zohocorp ManageEngine Exchange Reporter Plus versions before 5715 are vulnerable to SQL Injection in the reports module.

SQL Injection

ManageEngine ERP Monitoring Module SQLi Vulnerability
CVE-2024-38872 8.8 - High - July 26, 2024

Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the monitoring module.

SQL Injection

Auth SQLi in ManageEngine Exchange Reporter Plus Reports Module
CVE-2024-38871 8.8 - High - July 26, 2024

Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the reports module.

SQL Injection

Zoho ManageEngine Exchange Reporter Plus SQLi via Report Export
CVE-2024-21775 8.8 - High - February 16, 2024

Zoho ManageEngine Exchange Reporter Plus versions 5714 and below are vulnerable to the Authenticated SQL injection in report exporting feature.

SQL Injection

Info Disclosure in ManageEngine via Exposed Encryption Keys (CVE-2023-6105)
CVE-2023-6105 5.5 - Medium - November 15, 2023

An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database.

ManageEngine Suite 2FA Bypass via TOTP Auth
CVE-2023-35785 8.1 - High - August 28, 2023

Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset Explorer 6993 and below and 7xxx 7002 and below, Cloud Security Plus 4161 and below, Data Security Plus 6110 and below, Eventlog Analyzer 12301 and below, Exchange Reporter Plus 5709 and below, Log360 5315 and below, Log360 UEBA 4045 and below, M365 Manager Plus 4529 and below, M365 Security Plus 4529 and below, Recovery Manager Plus 6061 and below, ServiceDesk Plus 14204 and below and 143xx 14302 and below, ServiceDesk Plus MSP 14300 and below, SharePoint Manager Plus 4402 and below, and Support Center Plus 14300 and below are vulnerable to 2FA bypass via a few TOTP authenticators. Note: A valid pair of username and password is required to leverage this vulnerability.

authentification

Zoho MngtEngine Exchange Reporter Plus XXE Vulnerability
CVE-2023-22624 7.5 - High - January 17, 2023

Zoho ManageEngine Exchange Reporter Plus before 5708 allows attackers to conduct XXE attacks.

XXE

Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131
CVE-2022-29457 8.8 - High - April 18, 2022

Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.

Insufficiently Protected Credentials