CVE-2025-60378
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-10

Last updated on: 2025-11-17

Assigner: MITRE

Description
Stored HTML injection in RISE Ultimate Project Manager & CRM allows authenticated users to inject arbitrary HTML into invoices and messages. Injected content renders in emails, PDFs, and messaging/chat modules sent to clients or team members, enabling phishing, credential theft, and business email compromise. Automated recurring invoices and messaging amplify the risk by distributing malicious content to multiple recipients.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-10
Last Modified
2025-11-17
Generated
2026-06-16
AI Q&A
2025-10-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-60378
EUVD
EUVD-2025-33722
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fairsketch rise_ultimate_project_manager to 3.9.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-60378 is a stored HTML injection vulnerability in RISE Ultimate Project Manager & CRM versions prior to 3.9.4. Authenticated users with permissions to create or edit invoices, messages, or client notes can inject arbitrary HTML into invoice line item descriptions, client notes, and messaging modules. This malicious HTML is stored in the database and rendered in client-facing emails, PDFs, and messaging interfaces, including automated recurring invoices and reminders. The vulnerability arises from improper output encoding and insufficient input sanitization, allowing attackers to embed malicious content that can be used for phishing, credential theft, and business email compromise. [3]

Impact Analysis

This vulnerability can lead to large-scale phishing attacks, credential theft, business email compromise (BEC), and malware delivery through emails and PDF attachments sent to clients or team members. Because the malicious HTML is included in automated recurring invoices and messages, the risk is amplified by distributing harmful content to multiple recipients. Attackers can deceive recipients with malicious links, embedded images, or styled text, potentially compromising sensitive information and damaging business trust. [3]

Detection Guidance

Detection involves verifying if malicious HTML content has been injected into invoice line item descriptions, client notes, or messaging modules within the RISE Ultimate Project Manager & CRM system. This can be done by reviewing database entries or exported invoice/message content for suspicious HTML tags such as anchor tags linking to unknown domains, embedded images, or styled text. Since the vulnerability requires authenticated access, checking audit logs for unusual edits by users with invoice or messaging permissions may help. Specific commands are not provided, but inspecting database records or exported emails/PDFs for unexpected HTML content is recommended. [3]

Mitigation Strategies

Immediate mitigation steps include sanitizing and encoding all user-supplied content in invoices, messages, and client notes to prevent HTML injection. Disable HTML rendering in client-facing templates or enforce proper escaping of content. Restrict editing privileges to trusted users, preferably administrators, to reduce the risk of malicious input. Additionally, implement automated testing to detect and prevent rendering of malicious HTML in client communications. Applying the vendor's patch or upgrading to RISE Ultimate Project Manager & CRM version 3.9.4 or later is also recommended. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60378. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart