CVE-2025-10370 is a cross-site scripting (XSS) vulnerability identified in the MiczFlor RPi-Jukebox-RFID software, affecting all versions up to and including 2.8.0. The vulnerability resides in the /htdocs/userScripts.php file, specifically in the handling of the 'Custom script' argument. An attacker can remotely manipulate this argument to inject malicious scripts, which are then executed in the context of the victim's browser. This type of vulnerability allows attackers to perform actions such as stealing session cookies, redirecting users to malicious sites, or executing arbitrary JavaScript code. The vulnerability requires no authentication but does require some user interaction, as indicated by the CVSS vector (UI:P). The CVSS 4.0 base score is 5.1, categorizing it as a medium severity issue. The vendor was notified early but has not responded or provided a patch, and while the exploit is publicly available, there are no confirmed reports of exploitation in the wild. The vulnerability's ease of exploitation is moderate due to the need for user interaction, and it impacts the confidentiality and integrity of user sessions but does not affect availability. The affected product, RPi-Jukebox-RFID, is a Raspberry Pi-based jukebox system that uses RFID tags to trigger music playback, often deployed in hobbyist, educational, or niche commercial environments.

For European organizations, the impact of this vulnerability depends largely on the deployment scale and context of RPi-Jukebox-RFID devices. While the product is niche and primarily used in small-scale or hobbyist settings, organizations using it in public or semi-public environments (e.g., museums, libraries, educational institutions) could face risks of session hijacking or unauthorized actions via XSS attacks. This could lead to unauthorized access to user accounts or manipulation of the jukebox system, potentially undermining user trust or causing reputational damage. Since the vulnerability requires user interaction, the risk is somewhat mitigated but remains significant in environments where multiple users access the system. Additionally, the lack of vendor response and patch availability increases the window of exposure. European organizations with Raspberry Pi-based deployments should be aware that attackers could exploit this vulnerability remotely, especially if the device interfaces with broader networks or is accessible via the internet.

Given the absence of an official patch, European organizations should implement several specific mitigations: 1) Restrict network access to the RPi-Jukebox-RFID device by placing it behind firewalls or VPNs to limit exposure to trusted users only. 2) Disable or restrict the use of the 'Custom script' functionality if possible, or sanitize inputs at the application or web server level to prevent injection of malicious scripts. 3) Employ Content Security Policy (CSP) headers on the web interface to reduce the impact of XSS by restricting the execution of unauthorized scripts. 4) Monitor network traffic and logs for unusual activity related to the userScripts.php endpoint. 5) Educate users about the risks of interacting with untrusted links or inputs on the jukebox interface. 6) Consider isolating the device on a segmented network to prevent lateral movement if compromised. 7) Regularly check for vendor updates or community patches and apply them promptly once available. 8) If feasible, review and modify the source code to implement proper input validation and output encoding on the affected parameter.