CVE-2025-10368 is a cross-site scripting (XSS) vulnerability identified in the MiczFlor RPi-Jukebox-RFID software, versions up to and including 2.8.0. The vulnerability resides in an unspecified functionality within the /htdocs/manageFilesFolders.php file. This flaw allows an attacker to inject malicious scripts that are executed in the context of the victim's browser when interacting with the affected web interface. The vulnerability can be exploited remotely without requiring authentication, although user interaction is necessary to trigger the malicious script execution. The vendor was notified prior to public disclosure but did not respond or provide a patch, and a public exploit is available, increasing the risk of exploitation. The CVSS v4.0 base score is 5.1, indicating a medium severity level. The attack vector is network-based (remote), with low attack complexity and no privileges required, but user interaction is needed. The impact primarily affects the integrity and limited confidentiality of the affected system, as the injected scripts could be used to steal session tokens, manipulate displayed content, or conduct phishing attacks within the context of the RPi-Jukebox-RFID web interface. However, the vulnerability does not affect availability or system-level integrity directly. The RPi-Jukebox-RFID is a specialized software used to manage music playback on Raspberry Pi devices with RFID integration, often deployed in hobbyist or niche environments rather than enterprise settings.

For European organizations, the impact of this vulnerability depends largely on the deployment scale and criticality of the RPi-Jukebox-RFID system within their infrastructure. Since this software is primarily used for media playback on Raspberry Pi devices, its presence in corporate or critical infrastructure environments is likely limited. However, organizations using these devices in public-facing or shared environments (e.g., educational institutions, libraries, community centers) could face risks of session hijacking, unauthorized content manipulation, or social engineering attacks via the XSS vulnerability. The presence of a public exploit increases the likelihood of opportunistic attacks, especially in environments where the device is accessible over the network and users interact with the web interface. While the direct impact on confidentiality and integrity is moderate, the vulnerability could be leveraged as a foothold for further attacks if combined with other vulnerabilities or misconfigurations. The lack of vendor response and absence of official patches means organizations must rely on alternative mitigation strategies. Overall, the threat is more relevant to smaller-scale or niche deployments rather than large enterprise systems, but the risk should not be dismissed in environments where these devices are accessible and used by multiple users.

Given the absence of an official patch, European organizations should implement several practical mitigations: 1) Restrict network access to the RPi-Jukebox-RFID web interface by using firewalls or network segmentation to limit exposure to trusted users only. 2) Employ web application firewalls (WAFs) capable of detecting and blocking XSS attack patterns targeting the manageFilesFolders.php endpoint. 3) Educate users about the risks of interacting with suspicious links or inputs within the device's web interface to reduce the likelihood of successful social engineering. 4) If possible, review and sanitize inputs in the manageFilesFolders.php file by applying custom patches or filters to neutralize malicious scripts. 5) Monitor device logs and network traffic for unusual activity indicative of exploitation attempts. 6) Consider isolating the device on a separate VLAN or network segment to contain potential compromise. 7) Regularly check for vendor updates or community patches addressing this vulnerability. 8) As a longer-term solution, evaluate alternative software solutions or updated versions that address this vulnerability once available.