CVE-2025-10370 identifies a cross-site scripting (XSS) vulnerability in the MiczFlor RPi-Jukebox-RFID software, a popular open-source project designed to turn Raspberry Pi devices into RFID-controlled jukeboxes. The vulnerability resides in the /htdocs/userScripts.php file, specifically in the handling of the 'Custom script' parameter. An attacker can remotely supply crafted input to this parameter, which is not properly sanitized or encoded, allowing malicious JavaScript code injection. This XSS flaw can be exploited without authentication but requires user interaction, such as a victim clicking a maliciously crafted URL or visiting a compromised page that triggers the script. The impact includes potential session hijacking, theft of sensitive information, or execution of unauthorized actions within the web interface of the jukebox system. The vendor was notified early but has not issued a patch or response, and no official fixes are currently available. The vulnerability affects all versions up to 2.8.0, which covers the majority of deployed instances. Although no known exploits are reported in the wild, public exploit code exists, increasing the risk of exploitation. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction needed, and partial impact on integrity and confidentiality, resulting in a medium severity rating of 5.1. This vulnerability primarily threatens environments where RPi-Jukebox-RFID is used, often in educational, hobbyist, or small business contexts, where security controls may be limited.

For European organizations, the impact of CVE-2025-10370 is primarily on confidentiality and integrity within the affected RPi-Jukebox-RFID web interface. Attackers can exploit the XSS vulnerability to hijack user sessions, steal cookies or credentials, or perform unauthorized actions on behalf of legitimate users. While the affected software is niche and typically used in non-critical environments, organizations using it in public or semi-public settings risk reputational damage and potential lateral movement if attackers leverage the compromised device as a foothold. The vulnerability could also be used as a vector for social engineering attacks targeting users interacting with the jukebox interface. Given the lack of vendor response and patch, the risk remains until mitigations are applied. The medium CVSS score reflects moderate impact and exploitability, but the scope is limited to systems running the vulnerable software. European entities involved in education, maker communities, or small businesses using Raspberry Pi-based jukebox solutions should be particularly vigilant.

1. Immediately restrict access to the RPi-Jukebox-RFID web interface by network segmentation or firewall rules to limit exposure to trusted users only. 2. Disable or remove the functionality that allows users to input or execute custom scripts until a patch is available. 3. Implement strict input validation and output encoding on the 'Custom script' parameter to neutralize malicious payloads. 4. Educate users about the risks of clicking untrusted links or interacting with unknown web content related to the jukebox interface. 5. Monitor logs for suspicious activity indicative of XSS exploitation attempts. 6. If possible, deploy web application firewalls (WAFs) with rules targeting common XSS attack patterns on the affected endpoints. 7. Regularly check for vendor updates or community patches and apply them promptly once available. 8. Consider isolating the Raspberry Pi devices running this software from critical networks to reduce potential lateral movement. 9. Backup configuration and data regularly to enable recovery in case of compromise. 10. Engage with the open-source community to track developments and share mitigation strategies.