CVE-2025-60378 is a stored HTML injection vulnerability found in the RISE Ultimate Project Manager & CRM platform. The flaw allows authenticated users to insert arbitrary HTML code into invoices and messages within the system. This injected HTML is then rendered in multiple output formats, including emails sent to clients or team members, PDF documents generated by the system, and internal messaging or chat modules. Because the malicious content is stored persistently, it can be distributed repeatedly, especially through automated recurring invoices and messaging features, amplifying the attack surface and reach. The injected HTML can be crafted to perform phishing attacks, steal credentials, or facilitate business email compromise by impersonating trusted communications. Exploitation requires an authenticated user account, which means attackers need some level of access, but once inside, the impact can be severe. No official CVSS score has been assigned yet, but the vulnerability affects confidentiality and integrity by enabling social engineering and unauthorized data capture. The lack of patches or mitigation details in the provided information suggests organizations must proactively implement controls to reduce risk. This vulnerability highlights the risks of insufficient input sanitization in web applications that generate dynamic content for external communication.

For European organizations, the impact of CVE-2025-60378 can be significant, especially for businesses relying on RISE Ultimate Project Manager & CRM for client invoicing and internal communications. The ability to inject malicious HTML into trusted documents and messages can lead to widespread phishing campaigns targeting clients and employees, resulting in credential theft and potential financial fraud. Business email compromise facilitated by this vulnerability can cause reputational damage and financial losses. Automated recurring communications increase the scale and speed of attack propagation, making detection and containment more difficult. Organizations in sectors with high regulatory scrutiny around data protection and communication integrity, such as finance, legal, and healthcare, face additional compliance risks. The vulnerability also undermines trust in business communications, potentially affecting client relationships and contractual obligations. Given the authenticated access requirement, insider threats or compromised user accounts pose a heightened risk. Overall, the vulnerability could disrupt business operations, lead to data breaches, and cause significant financial and reputational harm.

To mitigate CVE-2025-60378, European organizations should implement the following specific measures: 1) Enforce strict input validation and sanitization on all user-generated content fields within the RISE Ultimate Project Manager & CRM, particularly those that generate invoices and messages. 2) Restrict user permissions to limit who can create or modify invoice and message content, applying the principle of least privilege. 3) Monitor and audit user activities to detect unusual or unauthorized content injections early. 4) Implement content security policies (CSP) and email security controls such as DMARC, DKIM, and SPF to reduce the impact of malicious emails. 5) Educate employees and clients about phishing risks and encourage verification of unexpected or suspicious communications. 6) Disable or carefully review automated recurring invoice and messaging features until the vulnerability is patched or mitigated. 7) Engage with the software vendor for patches or updates and apply them promptly once available. 8) Use email filtering solutions that can detect and block malicious HTML content. 9) Consider isolating PDF generation processes to prevent execution of embedded scripts or malicious content. 10) Regularly review and update incident response plans to handle potential phishing or business email compromise incidents stemming from this vulnerability.