CVE-2025-10367 is a cross-site scripting (XSS) vulnerability identified in the MiczFlor RPi-Jukebox-RFID software, specifically affecting versions up to 2.8.0. The vulnerability resides in an unspecified functionality within the /htdocs/cardEdit.php file. XSS vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, defacement, or redirection to malicious sites. This particular flaw can be exploited remotely without authentication, although it requires some user interaction (UI:P) to trigger the malicious script. The vulnerability has a CVSS 4.0 base score of 5.1, indicating a medium severity level. The attack complexity is low, and no privileges are required to launch the attack, but user interaction is necessary. The vendor was notified but did not respond or provide a patch, and no known exploits are currently reported in the wild. The RPi-Jukebox-RFID is an open-source jukebox software designed for Raspberry Pi devices, commonly used by hobbyists and small-scale deployments for music playback via RFID cards. The vulnerability in the cardEdit.php component suggests that user input is not properly sanitized or encoded, allowing script injection. Given the nature of the product, the attack surface is primarily web-based interfaces accessible to users managing or interacting with the jukebox system. While the impact on confidentiality and availability is limited, the integrity of the user interface and user sessions can be compromised, potentially leading to further attacks if combined with other vulnerabilities or social engineering.

For European organizations, the direct impact of this vulnerability is likely limited due to the niche usage of RPi-Jukebox-RFID primarily in hobbyist or small-scale environments rather than critical infrastructure. However, organizations using Raspberry Pi devices with this software in public or semi-public settings (e.g., libraries, community centers, educational institutions) could face risks of session hijacking or defacement, leading to reputational damage or unauthorized access to user sessions. The vulnerability could also be leveraged as a foothold for lateral movement if the device is connected to larger networks without proper segmentation. Additionally, since the vendor has not responded or patched the issue, affected organizations may be exposed for an extended period, increasing the window for potential exploitation. The requirement for user interaction somewhat limits the risk but does not eliminate it, especially in environments where users are less security-aware. Overall, the impact is moderate but should not be ignored in environments where these devices are networked or accessible by multiple users.

To mitigate this vulnerability, European organizations should take the following specific actions: 1) Immediately restrict access to the web interface of RPi-Jukebox-RFID devices to trusted networks or VPNs to reduce exposure to remote attackers. 2) Implement web application firewalls (WAF) or intrusion detection systems (IDS) that can detect and block common XSS attack patterns targeting the cardEdit.php endpoint. 3) Educate users on the risks of interacting with suspicious links or inputs related to the jukebox interface to reduce the likelihood of successful user interaction exploitation. 4) If feasible, review and sanitize all user inputs manually or via custom scripts until an official patch is available, focusing on the cardEdit.php functionality. 5) Monitor network traffic and logs for unusual activity related to these devices, especially attempts to access or manipulate the cardEdit.php page. 6) Consider isolating Raspberry Pi devices running this software on segmented VLANs to limit potential lateral movement. 7) Regularly check for vendor updates or community patches and apply them promptly once available. 8) If the device is not critical, consider discontinuing use until a secure version is released.