CVE-2025-60378
published 2025-10-10CVE-2025-60378: Stored HTML injection in RISE Ultimate Project Manager & CRM allows authenticated users to inject arbitrary HTML into invoices and messages. Injected content…
PriorityP355high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
1.06%
60.5th percentile
Stored HTML injection in RISE Ultimate Project Manager & CRM allows authenticated users to inject arbitrary HTML into invoices and messages. Injected content renders in emails, PDFs, and messaging/chat modules sent to clients or team members, enabling phishing, credential theft, and business email compromise. Automated recurring invoices and messaging amplify the risk by distributing malicious content to multiple recipients.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fairsketch | rise_ultimate_project_manager | < 3.9.4 | 3.9.4 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-10-10
Published