CVE-2025-10369 is a cross-site scripting (XSS) vulnerability identified in the MiczFlor RPi-Jukebox-RFID software versions up to 2.8.0. The vulnerability resides in the /htdocs/cardRegisterNew.php file, where insufficient input sanitization allows an attacker to inject malicious scripts. This flaw can be exploited remotely without requiring authentication, although user interaction is necessary for the malicious payload to execute (e.g., a victim clicking a crafted link or visiting a malicious page). The vulnerability has a CVSS 4.0 base score of 5.1, indicating a medium severity level. The vector details specify that the attack is network exploitable (AV:N), requires low attack complexity (AC:L), no privileges (PR:L) but user interaction (UI:P), and impacts integrity slightly (VI:L) without affecting confidentiality or availability. The vendor was notified but has not responded, and no patches or mitigations have been published yet. Although no known exploits are currently active in the wild, the public disclosure of the vulnerability increases the risk of exploitation. XSS vulnerabilities can be leveraged to execute arbitrary JavaScript in the context of the victim’s browser, potentially leading to session hijacking, defacement, or redirection to malicious sites. Given the nature of RPi-Jukebox-RFID as a music player system for Raspberry Pi with RFID integration, the attack surface is primarily web-based interfaces used for card registration and management.

For European organizations using MiczFlor RPi-Jukebox-RFID, particularly those deploying it in public or semi-public environments (e.g., libraries, educational institutions, community centers), this vulnerability could lead to targeted attacks against users interacting with the web interface. The XSS flaw could be exploited to steal session cookies, perform phishing attacks, or inject malicious content, undermining user trust and potentially exposing sensitive user data. Although the product is niche and likely used in smaller-scale deployments, organizations relying on it for user authentication or access control via RFID could face integrity risks if attackers manipulate card registration processes. The medium severity rating suggests moderate risk, but the lack of vendor response and patches increases exposure. European organizations with strict data protection regulations (e.g., GDPR) must consider the reputational and compliance risks if user data is compromised through this vulnerability.

Immediate mitigation steps include disabling or restricting access to the vulnerable card registration web interface to trusted users only, ideally within a secured network segment. Organizations should implement web application firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting the /htdocs/cardRegisterNew.php endpoint. Input validation and output encoding should be applied at the application level; if source code access is available, developers should sanitize all user inputs and encode outputs to prevent script injection. Monitoring web logs for suspicious requests and unusual user activity can help detect exploitation attempts early. Since no official patch is available, organizations might consider isolating the device from public networks or replacing the vulnerable software with alternative solutions until a fix is released. User education about phishing risks related to XSS attacks is also advisable.