CVE-2025-10366 is a cross-site scripting (XSS) vulnerability identified in the MiczFlor RPi-Jukebox-RFID software, specifically affecting versions up to 2.8.0. The vulnerability resides in an unspecified function within the /htdocs/inc.setWlanIpMail.php file, where improper handling and sanitization of the 'Email address' argument allows an attacker to inject malicious scripts. This flaw can be exploited remotely without requiring authentication, though user interaction is necessary to trigger the malicious payload, as indicated by the CVSS vector. The vulnerability enables an attacker to execute arbitrary JavaScript in the context of the victim's browser when they access a manipulated interface or link. This can lead to session hijacking, defacement, or redirection to malicious sites, potentially compromising user data or the integrity of the web interface. The vendor was notified but has not responded, and no patches are currently available. Although the exploit code has been published, there are no confirmed reports of exploitation in the wild. The CVSS 4.0 base score is 5.1, reflecting a medium severity level due to the combination of remote exploitability, lack of required privileges, but the need for user interaction and limited impact on confidentiality and availability. The vulnerability affects all versions from 2.0 through 2.8.0 of the RPi-Jukebox-RFID software, which is a music player system designed for Raspberry Pi devices with RFID capabilities, commonly used in hobbyist and niche audio applications.

For European organizations, the impact of this vulnerability depends largely on the deployment scale and context of RPi-Jukebox-RFID usage. While primarily a niche product, organizations or institutions using these devices in public or semi-public environments (e.g., libraries, museums, educational institutions) could face risks of interface compromise or user session hijacking. The XSS vulnerability could be leveraged to conduct phishing attacks, steal user credentials, or inject malicious content, potentially undermining user trust and leading to reputational damage. However, since the affected product is not a critical infrastructure component and the vulnerability requires user interaction, the direct operational impact on confidentiality and availability is limited. Still, attackers could use this as a foothold for further attacks within a local network if the device interfaces with other systems. The lack of vendor response and patch availability increases the risk window, especially for organizations with limited capacity to implement custom mitigations. Additionally, the vulnerability could be exploited in targeted attacks against enthusiasts or organizations using these devices, particularly if combined with social engineering.

Given the absence of official patches, European organizations should implement several practical mitigations: 1) Restrict access to the RPi-Jukebox-RFID web interface by network segmentation or firewall rules to limit exposure to trusted users only. 2) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious input patterns targeting the Email address parameter. 3) Educate users about the risks of interacting with untrusted links or inputs related to the device interface to reduce successful exploitation via social engineering. 4) If feasible, review and modify the source code of the affected PHP file to implement proper input validation and output encoding for the Email address parameter, thereby neutralizing the XSS vector. 5) Monitor network and device logs for unusual activity indicative of attempted exploitation. 6) Consider isolating or replacing the affected devices in high-risk environments until a vendor patch or community fix becomes available. 7) Regularly check for updates from the vendor or community for any released patches or mitigations.