CVE-2025-10369 is a cross-site scripting (XSS) vulnerability identified in the MiczFlor RPi-Jukebox-RFID software versions up to 2.8.0. The vulnerability exists in the /htdocs/cardRegisterNew.php file, where insufficient input sanitization allows an attacker to inject malicious scripts. This flaw can be exploited remotely without authentication, requiring only partial user interaction, such as visiting a crafted URL or submitting manipulated input. The vulnerability has a CVSS 4.0 base score of 5.1, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L interpreted as low privileges), and user interaction needed (UI:P). The impact primarily affects the integrity of the web interface, with limited impact on confidentiality and availability. The vendor was notified but did not respond, and no patches or mitigations have been published yet. Although no known exploits are currently in the wild, public disclosure increases the risk of exploitation. The RPi-Jukebox-RFID is a niche open-source project designed for Raspberry Pi devices to manage music playback via RFID cards, often used in hobbyist or small-scale environments. The vulnerability could allow attackers to execute arbitrary JavaScript in the context of the affected web application, potentially leading to session hijacking, defacement, or redirection to malicious sites.

For European organizations, the impact of this vulnerability depends largely on the deployment scale and context of RPi-Jukebox-RFID usage. While primarily a hobbyist or small business tool, organizations using this software for public or semi-public music playback could face reputational damage if attackers exploit the XSS to deface interfaces or deliver malicious payloads to users. In environments where the device interfaces with broader internal networks, the XSS could be a stepping stone for further attacks, such as phishing or lateral movement, especially if combined with other vulnerabilities. Confidentiality impact is limited, but integrity and user trust can be compromised. Since the vulnerability requires user interaction, the risk is somewhat mitigated, but the ease of remote exploitation and lack of vendor response increase concern. European organizations with public-facing installations or those in sectors like hospitality, education, or retail using RPi-Jukebox-RFID should be particularly cautious.

Given the absence of official patches, European organizations should implement the following specific mitigations: 1) Restrict network access to the RPi-Jukebox-RFID web interface by using firewalls or VPNs to limit exposure to trusted users only. 2) Employ web application firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting the /htdocs/cardRegisterNew.php endpoint. 3) Disable or restrict user input fields related to card registration if not actively used, or implement manual input validation and sanitization at the network perimeter. 4) Monitor logs for unusual input patterns or repeated access attempts to the vulnerable page. 5) Educate users about the risks of clicking untrusted links related to the device’s web interface. 6) Consider isolating the device on a segmented network to prevent potential lateral movement. 7) Explore alternative software solutions or versions without this vulnerability if feasible. 8) Regularly check for vendor updates or community patches addressing this issue.