Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Public Folder Client Permissions report
Description
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Public Folder Client Permissions report
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: Nodemailer
PRODUCT: smtp_server
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
CONFIDENCE: low
MISSING: versions, patch, technical_details
---END_METADATA---
Description Summary:
A security vulnerability exists in the Nodemailer smtp_server component. Precise technical details regarding the vulnerability mechanism are currently unavailable.
Executive Summary:
The Nodemailer smtp_server component is affected by a security vulnerability that may allow attackers to compromise email processing infrastructure.
Vulnerability Details
CVE-ID: CVE-2026-38728
Affected Software: Nodemailer smtp_server
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This vulnerability affects the SMTP server implementation within Nodemailer. Due to the nature of mail transfer agents, unauthorized access could lead to message interception or relay abuse.
Business Impact
The CVSS score of 7.5 indicates a high-severity risk that could severely impact business communication and data confidentiality. An attacker successfully leveraging this flaw might intercept sensitive internal or external communications, leading to significant reputational and operational damage.
Remediation Plan
Immediate Action: Review the official Nodemailer project advisories to determine if a patch has been released and apply it immediately to all production instances.
Proactive Monitoring: Monitor SMTP traffic logs for unusual relay patterns, high volumes of outbound mail, or unauthorized connection attempts to the mail server.
Compensating Controls: Utilize a Web Application Firewall or specialized email security gateway to filter malicious traffic and restrict access to the SMTP service to known, trusted IP addresses.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of May 17, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
The reliance on core infrastructure components like SMTP servers makes this vulnerability particularly concerning. Organizations should verify their current version of Nodemailer smtp_server and monitor vendor channels closely for remediation instructions to mitigate the risk of unauthorized access.