Cyber Resilience

CVE-2025-60378

HighPublic PoC

Published: 10 October 2025

Published
10 October 2025
Modified
17 November 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0016 36.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-60378 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Fairsketch Rise Ultimate Project Manager. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Internal Spearphishing (T1534); ranked at the 36.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-60378 is a stored HTML injection vulnerability (CWE-79) in RISE Ultimate Project Manager & CRM. Published on 2025-10-10, it allows authenticated users to inject arbitrary HTML into invoices and messages. The injected content renders in emails, PDFs, and messaging/chat modules distributed to clients or team members. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for confidentially and integrity impacts.

Attackers require only low-privileged authenticated access to exploit this remotely with low complexity and no user interaction. They can inject malicious HTML that executes when rendered for recipients, enabling phishing, credential theft, and business email compromise. Automated recurring invoices and messaging features exacerbate the threat by repeatedly distributing the payload to multiple recipients.

Mitigation guidance and additional details are available in vendor resources at http://rise.com and the GitHub repository https://github.com/ajansha/CVE-2025-60378.

EU & UK References

Vulnerability details

Stored HTML injection in RISE Ultimate Project Manager & CRM allows authenticated users to inject arbitrary HTML into invoices and messages. Injected content renders in emails, PDFs, and messaging/chat modules sent to clients or team members, enabling phishing, credential theft,…

more

and business email compromise. Automated recurring invoices and messaging amplify the risk by distributing malicious content to multiple recipients.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1534 Internal Spearphishing Lateral Movement
After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
T1566.003 Spearphishing via Service Initial Access
Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems.
Why these techniques?

Stored HTML injection enables authenticated users to embed malicious links and content in legitimate emails, PDFs, recurring invoices, and CRM messaging/chat, facilitating internal spearphishing (T1534), spearphishing links (T1566.002), and spearphishing via service (T1566.003) for phishing, credential theft, BEC, and malware delivery.

CVEs Like This One

CVE-2025-23596Shared CWE-79
CVE-2026-22523Shared CWE-79
CVE-2025-23653Shared CWE-79
CVE-2025-30631Shared CWE-79
CVE-2025-23578Shared CWE-79
CVE-2025-23857Shared CWE-79
CVE-2025-22575Shared CWE-79
CVE-2025-23753Shared CWE-79
CVE-2025-28903Shared CWE-79
CVE-2025-23547Shared CWE-79

Affected Assets

fairsketch
rise ultimate project manager
≤ 3.9.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates identification, reporting, testing, and installation of fixes for flaws like this stored HTML injection vulnerability, directly eliminating the CVE.

prevent

SI-10 requires validation of inputs to invoices and messages, preventing storage of arbitrary malicious HTML by authenticated users.

prevent

SI-15 enforces output filtering for rendered content in emails, PDFs, and chat modules, blocking execution of injected HTML across recipients.

References