CVE-2025-10370 is a cross-site scripting (XSS) vulnerability identified in the MiczFlor RPi-Jukebox-RFID software, specifically affecting versions 2.0 through 2.8.0. The vulnerability resides in the /htdocs/userScripts.php file, where the 'Custom script' argument can be manipulated by an attacker to inject malicious scripts. This flaw allows remote attackers to execute arbitrary JavaScript code in the context of the victim's browser without requiring authentication, although user interaction is necessary to trigger the malicious payload. The vulnerability is classified as a reflected or stored XSS, depending on the implementation details of how the input is handled and reflected back to the user. The vendor was notified prior to public disclosure but did not respond or provide a patch, and an exploit is publicly available, increasing the risk of exploitation. The CVSS v4.0 base score is 5.1 (medium severity), reflecting the ease of remote exploitation (no privileges required), but limited impact on confidentiality and availability, with some impact on integrity via script execution. The vulnerability does not affect the core system's availability or confidentiality directly but can be leveraged to perform session hijacking, phishing, or other client-side attacks against users interacting with the affected web interface. Since the product is designed for Raspberry Pi-based jukebox systems with RFID integration, it is likely deployed in niche environments such as hobbyist setups, small businesses, or educational contexts. However, any deployment exposing the web interface to untrusted networks or users is at risk.

For European organizations using MiczFlor RPi-Jukebox-RFID, this vulnerability poses a moderate risk primarily to the integrity of user sessions and the trustworthiness of the web interface. While the product is specialized and not widely adopted in enterprise environments, small businesses, educational institutions, or hobbyist groups in Europe using this software could face targeted attacks. Exploitation could lead to unauthorized script execution in users' browsers, enabling phishing, credential theft, or unauthorized actions within the jukebox system's web interface. Although the direct impact on critical infrastructure or sensitive data is limited, compromised user sessions could be a stepping stone for further attacks in a networked environment. The lack of vendor response and patch availability increases the window of exposure. European organizations with public-facing or poorly segmented deployments are particularly vulnerable. The medium CVSS score reflects that while the vulnerability is exploitable remotely without authentication, user interaction is required, somewhat limiting automated large-scale exploitation. However, the availability of public exploits raises the likelihood of opportunistic attacks.

To mitigate this vulnerability, European organizations should implement the following specific measures: 1) Immediately restrict access to the RPi-Jukebox-RFID web interface by network segmentation or firewall rules to trusted users only, preventing exposure to untrusted networks. 2) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious input patterns targeting the 'Custom script' parameter. 3) Educate users about the risks of interacting with untrusted links or inputs related to the jukebox interface to reduce successful exploitation via social engineering. 4) If possible, disable or limit the use of the 'Custom script' functionality until a vendor patch or community fix is available. 5) Monitor logs for unusual or repeated requests to /htdocs/userScripts.php that may indicate exploitation attempts. 6) Consider deploying reverse proxies or input sanitization layers that can filter out malicious script injections. 7) Engage with the open-source community or vendor channels to track patch releases or mitigations. 8) As a longer-term solution, evaluate alternative software solutions with active maintenance and security support for similar use cases.