CVE-2025-60378

Name of the Vulnerable Software and Affected Versions RISE Ultimate Project Manager & CRM (affected versions not specified)

Description An issue exists in RISE Ultimate Project Manager & CRM that allows authenticated users to inject arbitrary HTML into invoices and messages. This injected content renders in emails, PDFs, and messaging/chat modules sent to clients or team members, potentially enabling phishing, credential theft, and business email compromise. Automated recurring invoices and messaging can amplify the risk by distributing malicious content to multiple recipients. The vulnerability allows injection of arbitrary HTML content into invoices and messaging modules.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.