CVE-2025-10368 is a cross-site scripting (XSS) vulnerability identified in the MiczFlor RPi-Jukebox-RFID software, versions up to 2.8.0. The vulnerability resides in the /htdocs/manageFilesFolders.php file, where certain input manipulations allow an attacker to inject malicious scripts. This flaw enables remote exploitation without requiring authentication, although user interaction is necessary to trigger the malicious payload. The vulnerability has a CVSS 4.0 base score of 5.1, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L, indicating limited privileges), and user interaction needed (UI:P). The impact primarily affects the integrity of the application (VI:L), with no direct impact on confidentiality or availability. The vendor was notified early but has not responded or provided a patch, and while no known exploits are currently active in the wild, the exploit code has been publicly disclosed. The vulnerability allows attackers to execute arbitrary JavaScript in the context of the affected web application, potentially leading to session hijacking, defacement, or redirection to malicious sites. Given the nature of the software—RPi-Jukebox-RFID, which is a Raspberry Pi-based jukebox system using RFID tags—this vulnerability could be exploited in environments where the device is accessible over a network and users interact with its web interface.

For European organizations using MiczFlor RPi-Jukebox-RFID, particularly in environments such as educational institutions, libraries, or small businesses that deploy these jukebox systems, this vulnerability could lead to unauthorized script execution within the web interface. This may result in session hijacking or unauthorized actions performed on behalf of legitimate users, potentially compromising user data or system integrity. While the direct impact on critical infrastructure is limited due to the niche application, organizations relying on these devices for user interaction or public engagement could suffer reputational damage or data integrity issues. Additionally, if the device is integrated into larger networked systems without proper segmentation, the XSS vulnerability could serve as an initial foothold for further lateral movement or social engineering attacks. The lack of vendor response and patch availability increases the risk exposure, as users may remain vulnerable for an extended period.

To mitigate this vulnerability, European organizations should implement the following specific measures: 1) Immediately restrict network access to the RPi-Jukebox-RFID web interface by implementing firewall rules or network segmentation to limit exposure to trusted users only. 2) Employ web application firewalls (WAFs) capable of detecting and blocking XSS payloads targeting the /htdocs/manageFilesFolders.php endpoint. 3) Educate users to avoid clicking on suspicious links or interacting with untrusted content related to the jukebox interface. 4) If possible, review and sanitize inputs on the affected page manually or deploy custom patches to filter out malicious scripts until an official vendor patch is available. 5) Monitor logs for unusual activity or repeated attempts to exploit the vulnerability. 6) Consider isolating the device on a separate VLAN or network segment to minimize potential lateral movement. 7) Regularly check for vendor updates or community patches addressing this vulnerability and apply them promptly once available.