Multiple vulnerabilities in Fairsketch's RISE CRM Framework
RISE CRM Framework, versions prior to 3.9
INCIBE has coordinated the publication of 6 medium-severity vulnerabilities that affect Fairsketch's RISE CRM Framework, a software similar to a CRM and project managing APP. This vulnerabilities were discovered by Gonzalo Aguilar García (6h4ack).
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE type of each vulnerability :
- From CVE-2025-41101 to CVE-2025-41106: CVSS v4.0: 5.1 | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N | CWE-79.
These vulnerabilities have been fixed by the Fairsketch team in version 3.9.
HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request. The list of assigned parameters and identifiers is as follows:
- CVE-2025-41101: parameter 'title' in'/projects/save'.
- CVE-2025-41102: parameter 'title' in '/events/save'.
- CVE-2025-41103: parameter 'reply_message' in '/messages/reply'.
- CVE-2025-41104: parameter 'custom_field_1' in '/estimate_requests/save_estimate_request'.
- CVE-2025-41105: parameter 'title' in '/tickets/save'.
- CVE-2025-41106: parameter 'first_name' in '/clients/save_contact/'.
