CVE-2025-63293 in RISE Ultimate Project Manager & CRM
Summary
by MITRE • 11/03/2025
FairSketch Rise Ultimate Project Manager & CRM 3.9.4 is vulnerable to Insecure Permissions. A remote authenticated user can append comments or upload attachments to tickets for which they lack view or edit authorization, due to missing authorization checks in the ticketing/commenting API.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 11/03/2025
The vulnerability identified as CVE-2025-63293 affects FairSketch Rise Ultimate Project Manager & CRM version 3.9.4, presenting a critical insecure permissions issue that undermines the application's access control mechanisms. This flaw allows remote authenticated users to bypass intended authorization restrictions when interacting with ticketing functionality, specifically enabling them to append comments or upload attachments to tickets they should not have access to based on their assigned permissions. The vulnerability stems from inadequate validation of user privileges within the ticketing and commenting application programming interface, creating a direct pathway for unauthorized data manipulation and potential information disclosure.
The technical implementation of this vulnerability manifests through the absence of proper authorization checks within the ticketing/commenting API endpoints. When authenticated users attempt to perform operations such as adding comments or uploading attachments to tickets, the system fails to verify whether the requesting user possesses sufficient privileges to access the target ticket. This authorization gap exists at multiple levels within the application's permission model, allowing users with limited access rights to manipulate tickets they should only be able to view or interact with minimally. The flaw operates at the API layer, where the system trusts the user's input without performing necessary checks against the ticket's access control lists or user role assignments.
From an operational perspective, this vulnerability creates significant risks for organizations using the FairSketch Rise platform, as it enables potential data integrity violations and unauthorized access to sensitive project information. An attacker with valid credentials but insufficient privileges could exploit this vulnerability to inject malicious content into tickets, potentially leading to information leakage, data corruption, or the introduction of harmful attachments that could be used for further attacks. The impact extends beyond simple unauthorized access, as the ability to add comments and attachments to restricted tickets could be leveraged for social engineering attacks, misinformation campaigns, or to manipulate project records for fraudulent purposes.
The vulnerability aligns with CWE-285, which addresses improper authorization issues in software systems, and represents a clear violation of the principle of least privilege that should govern all access control mechanisms. From an attack perspective, this flaw maps to several ATT&CK techniques including T1078 for valid accounts and T1566 for social engineering, as it enables attackers to escalate their privileges through legitimate access points. The vulnerability also connects to T1531, which deals with account access removal, as compromised users could manipulate ticket access controls to maintain unauthorized access. Organizations should consider implementing compensating controls such as network segmentation, enhanced monitoring of ticketing API endpoints, and regular access control audits to mitigate the risk of exploitation.
Mitigation strategies for CVE-2025-63293 should include immediate implementation of proper authorization checks within the ticketing API, ensuring that all operations performed on tickets validate the user's permissions against the ticket's access control requirements. Organizations should also implement comprehensive logging and monitoring of ticketing activities to detect unauthorized access attempts and ensure that all user interactions with tickets are properly audited. The recommended solution involves patching the application to enforce strict authorization controls at the API level, implementing role-based access controls that verify user privileges before allowing any ticket modification operations, and conducting thorough security testing to validate that all authorization checks function correctly. Additionally, organizations should establish automated alerts for unusual ticket access patterns and implement regular security assessments to identify similar authorization gaps in other application components.