Ajansha

**Name of the Vulnerable Software and Affected Versions** RISE Ultimate Project Manager & CRM (affected versions not specified) **Description** An issue exists in RISE Ultimate Project Manager & CRM that allows authenticated users to inject arbitrary HTML into invoices and messages. This injected content renders in emails, PDFs, and messaging/chat modules sent to clients or team members, potentially enabling phishing, credential theft, and business email compromise. Automated recurring invoices and messaging can amplify the risk by distributing malicious content to multiple recipients. The vulnerability allows injection of arbitrary HTML content into invoices and messaging modules. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Perfex CRM version 3.3.1 **Description** The application does not properly sanitize user input in the "Bill To" address field within the estimate module. This allows for the injection of arbitrary HTML that is rendered without escaping in client-facing documents. The vulnerable parameter is the "Bill To" address field. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider sanitizing user input for the "Bill To" address field within the estimate module.