CVE-2025-60378
Published: 10 October 2025
Summary
CVE-2025-60378 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Fairsketch Rise Ultimate Project Manager. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Internal Spearphishing (T1534); ranked at the 36.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-60378 is a stored HTML injection vulnerability (CWE-79) in RISE Ultimate Project Manager & CRM. Published on 2025-10-10, it allows authenticated users to inject arbitrary HTML into invoices and messages. The injected content renders in emails, PDFs, and messaging/chat modules distributed to clients or team members. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for confidentially and integrity impacts.
Attackers require only low-privileged authenticated access to exploit this remotely with low complexity and no user interaction. They can inject malicious HTML that executes when rendered for recipients, enabling phishing, credential theft, and business email compromise. Automated recurring invoices and messaging features exacerbate the threat by repeatedly distributing the payload to multiple recipients.
Mitigation guidance and additional details are available in vendor resources at http://rise.com and the GitHub repository https://github.com/ajansha/CVE-2025-60378.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-33722
Vulnerability details
Stored HTML injection in RISE Ultimate Project Manager & CRM allows authenticated users to inject arbitrary HTML into invoices and messages. Injected content renders in emails, PDFs, and messaging/chat modules sent to clients or team members, enabling phishing, credential theft,…
more
and business email compromise. Automated recurring invoices and messaging amplify the risk by distributing malicious content to multiple recipients.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored HTML injection enables authenticated users to embed malicious links and content in legitimate emails, PDFs, recurring invoices, and CRM messaging/chat, facilitating internal spearphishing (T1534), spearphishing links (T1566.002), and spearphishing via service (T1566.003) for phishing, credential theft, BEC, and malware delivery.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 mandates identification, reporting, testing, and installation of fixes for flaws like this stored HTML injection vulnerability, directly eliminating the CVE.
SI-10 requires validation of inputs to invoices and messages, preventing storage of arbitrary malicious HTML by authenticated users.
SI-15 enforces output filtering for rendered content in emails, PDFs, and chat modules, blocking execution of injected HTML across recipients.