216.73.216.169

CVE-2025-60378

· Published 10/10/2025 15:16 · Modified 10/10/2025 22:15

Labels: CVE-2025-60378 2025-10-10CVE-2025-60378CWE-79[email protected]

Essential information

Published
10/10/2025 15:16
Modified
10/10/2025 22:15
Author
Creator
CVSS
8.1 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS metrics

Description

Stored HTML injection in RISE Ultimate Project Manager & CRM allows authenticated users to inject arbitrary HTML into invoices and messages. Injected content renders in emails, PDFs, and messaging/chat modules sent to clients or team members, enabling phishing, credential theft, and business email compromise. Automated recurring invoices and messaging amplify the risk by distributing malicious content to multiple recipients.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
rise / ultimate project manager and crm cpe:2.3:a:rise:ultimate_project_manager_and_crm:*:*:*:*:*:*:*:*

References