CVE-2025-10367 is a cross-site scripting (XSS) vulnerability identified in the MiczFlor RPi-Jukebox-RFID software, specifically affecting versions up to 2.8.0. The vulnerability resides in an unspecified functionality within the /htdocs/cardEdit.php file. This flaw allows an attacker to inject malicious scripts into the web interface of the RPi-Jukebox-RFID system, which is a software solution designed to run on Raspberry Pi devices to manage music playback via RFID cards. The vulnerability can be exploited remotely without requiring authentication, although user interaction is necessary to trigger the malicious script execution, such as when a user accesses a manipulated page. The CVSS 4.0 base score is 5.1, indicating a medium severity level. The attack vector is network-based with low attack complexity, no privileges required, and no user authentication needed, but user interaction is required to activate the payload. The vulnerability impacts confidentiality and integrity to a limited extent, as it can lead to script execution in the context of the victim's browser, potentially allowing session hijacking, defacement, or redirection to malicious sites. The vendor was notified but did not respond, and no patches have been published yet. Although no known exploits are currently in the wild, the public disclosure of the vulnerability increases the risk of exploitation. Given the nature of the software, which is often used in hobbyist or small-scale environments, the attack surface is somewhat limited but still relevant for users relying on this system for media playback and management.

For European organizations, the impact of this vulnerability depends largely on the deployment context of the RPi-Jukebox-RFID system. While primarily used in personal or small business environments, some niche or specialized European entities may use this system for localized media management. Exploitation could lead to unauthorized script execution within the web interface, potentially compromising user sessions or redirecting users to malicious content. This could result in data leakage or integrity issues within the affected system. Although the vulnerability does not directly threaten critical infrastructure or large-scale enterprise environments, it could be leveraged as a foothold in a broader attack chain, especially in environments where Raspberry Pi devices are integrated into more extensive networks. Additionally, the lack of vendor response and absence of patches increases the risk for European users who rely on this software, as they may remain exposed for an extended period. The requirement for user interaction limits automated exploitation but does not eliminate risk, particularly in environments where users frequently access the vulnerable interface.

To mitigate this vulnerability, European organizations and users should first isolate the RPi-Jukebox-RFID devices from untrusted networks to reduce exposure. Network segmentation can prevent attackers from reaching the vulnerable web interface remotely. Users should avoid accessing the cardEdit.php page or any related functionality until a patch or official fix is released. Implementing web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the specific URL can provide an additional layer of defense. Monitoring network traffic and logs for unusual requests to /htdocs/cardEdit.php or suspicious user-agent strings may help detect attempted exploitation. If possible, users should consider disabling the vulnerable functionality or replacing the software with alternative solutions that do not exhibit this vulnerability. Finally, organizations should maintain awareness of vendor communications for any forthcoming patches or updates and apply them promptly once available.