CVE-2025-10366 is a cross-site scripting (XSS) vulnerability identified in the MiczFlor RPi-Jukebox-RFID software, specifically affecting versions up to 2.8.0. The vulnerability resides in an unspecified function within the /htdocs/inc.setWlanIpMail.php file, where improper handling of the Email address argument allows an attacker to inject malicious scripts. This flaw can be exploited remotely without requiring authentication, although user interaction is necessary to trigger the XSS payload. The vulnerability has a CVSS 4.0 base score of 5.1, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges required, but it requires user interaction. The impact primarily affects the integrity and potentially the confidentiality of the affected system by enabling script execution in the context of the victim's browser. The vendor was notified early but has not responded or issued a patch, and while an exploit has been published, there are no known exploits in the wild at this time. The RPi-Jukebox-RFID is a software solution designed to run on Raspberry Pi devices, commonly used for personal or small-scale media jukebox applications with RFID integration. The vulnerability could allow attackers to perform actions such as session hijacking, defacement, or redirecting users to malicious sites if exploited successfully.

For European organizations, the impact of this vulnerability depends largely on the deployment context of the RPi-Jukebox-RFID software. While primarily targeted at personal or small business users, organizations using this software in public-facing or shared environments could face risks of user session compromise or unauthorized actions via injected scripts. This could lead to data leakage, unauthorized access to internal resources if the device is connected to broader networks, or reputational damage if exploited in public or customer-facing scenarios. The lack of vendor response and patch availability increases the risk exposure duration. Additionally, since the vulnerability requires user interaction, social engineering or phishing campaigns could be used to increase exploitation success. The medium severity rating suggests moderate impact, but organizations should consider the potential for lateral movement or pivoting if the affected device is part of a larger network infrastructure.

Given the absence of an official patch, European organizations should implement specific mitigations: 1) Restrict network access to the RPi-Jukebox-RFID device by placing it behind firewalls or network segmentation to limit exposure to untrusted networks. 2) Disable or restrict access to the vulnerable functionality (/htdocs/inc.setWlanIpMail.php) if feasible, possibly by modifying the web server configuration or applying custom input validation filters to sanitize the Email address parameter. 3) Educate users about the risks of interacting with suspicious links or inputs related to the device to reduce the likelihood of successful user interaction exploitation. 4) Monitor network traffic and logs for unusual activity or attempts to exploit the XSS vulnerability. 5) Consider alternative software solutions or isolate the device from critical infrastructure until a vendor patch or update is available. 6) Regularly check for vendor updates or community patches and apply them promptly once released.