CVE-2025-60378
Published: 10 October 2025
Description
Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems.
Security Summary
CVE-2025-60378 is a stored HTML injection vulnerability (CWE-79) in RISE Ultimate Project Manager & CRM. Published on 2025-10-10, it allows authenticated users to inject arbitrary HTML into invoices and messages. The injected content renders in emails, PDFs, and messaging/chat modules distributed to clients or team members. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for confidentially and integrity impacts.
Attackers require only low-privileged authenticated access to exploit this remotely with low complexity and no user interaction. They can inject malicious HTML that executes when rendered for recipients, enabling phishing, credential theft, and business email compromise. Automated recurring invoices and messaging features exacerbate the threat by repeatedly distributing the payload to multiple recipients.
Mitigation guidance and additional details are available in vendor resources at http://rise.com and the GitHub repository https://github.com/ajansha/CVE-2025-60378.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored HTML injection enables authenticated users to embed malicious links and content in legitimate emails, PDFs, recurring invoices, and CRM messaging/chat, facilitating internal spearphishing (T1534), spearphishing links (T1566.002), and spearphishing via service (T1566.003) for phishing, credential theft, BEC, and malware delivery.