CVE-2025-60378
HIGHRISE Ultimate Project Manager & CRM - Stored HTML Injection
Title source: llmDescription
Stored HTML injection in RISE Ultimate Project Manager & CRM allows authenticated users to inject arbitrary HTML into invoices and messages. Injected content renders in emails, PDFs, and messaging/chat modules sent to clients or team members, enabling phishing, credential theft, and business email compromise. Automated recurring invoices and messaging amplify the risk by distributing malicious content to multiple recipients.
References (2)
Core 2
Core References
Product
http://rise.com
Exploit, Mitigation, Third Party Advisory
https://github.com/ajansha/CVE-2025-60378
Scores
CVSS v3
8.1
EPSS
0.0015
EPSS Percentile
35.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
fairsketch/rise_ultimate_project_manager
< 3.9.4
Published
Oct 10, 2025
Tracked Since
Feb 18, 2026