CVE-2025-60378
BaseFortify
Publication date: 2025-10-10
Last updated on: 2025-11-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fairsketch | rise_ultimate_project_manager | to 3.9.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-60378 is a stored HTML injection vulnerability in RISE Ultimate Project Manager & CRM versions prior to 3.9.4. Authenticated users with permissions to create or edit invoices, messages, or client notes can inject arbitrary HTML into invoice line item descriptions, client notes, and messaging modules. This malicious HTML is stored in the database and rendered in client-facing emails, PDFs, and messaging interfaces, including automated recurring invoices and reminders. The vulnerability arises from improper output encoding and insufficient input sanitization, allowing attackers to embed malicious content that can be used for phishing, credential theft, and business email compromise. [3]
How can this vulnerability impact me? :
This vulnerability can lead to large-scale phishing attacks, credential theft, business email compromise (BEC), and malware delivery through emails and PDF attachments sent to clients or team members. Because the malicious HTML is included in automated recurring invoices and messages, the risk is amplified by distributing harmful content to multiple recipients. Attackers can deceive recipients with malicious links, embedded images, or styled text, potentially compromising sensitive information and damaging business trust. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves verifying if malicious HTML content has been injected into invoice line item descriptions, client notes, or messaging modules within the RISE Ultimate Project Manager & CRM system. This can be done by reviewing database entries or exported invoice/message content for suspicious HTML tags such as anchor tags linking to unknown domains, embedded images, or styled text. Since the vulnerability requires authenticated access, checking audit logs for unusual edits by users with invoice or messaging permissions may help. Specific commands are not provided, but inspecting database records or exported emails/PDFs for unexpected HTML content is recommended. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and encoding all user-supplied content in invoices, messages, and client notes to prevent HTML injection. Disable HTML rendering in client-facing templates or enforce proper escaping of content. Restrict editing privileges to trusted users, preferably administrators, to reduce the risk of malicious input. Additionally, implement automated testing to detect and prevent rendering of malicious HTML in client communications. Applying the vendor's patch or upgrading to RISE Ultimate Project Manager & CRM version 3.9.4 or later is also recommended. [3]