CVE-2025-10368
BaseFortify
Publication date: 2025-09-13
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcefabric | rpi-jukebox-rfid | to 2.8.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Scripting (XSS) issue in MiczFlor RPi-Jukebox-RFID up to version 2.8.0, specifically in the file /htdocs/manageFilesFolders.php. It allows an attacker to inject arbitrary JavaScript code that executes in the victim's browser by manipulating user-controllable input that is not properly neutralized. This can lead to unauthorized actions or data theft when the malicious script runs in the context of the affected web application. [1, 2]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing remote attackers to execute malicious scripts in your browser when interacting with the affected application. This can result in unauthorized actions, data theft, or compromise of data integrity. Exploitation requires user interaction and can be performed remotely. Since the exploit is publicly available, attackers can easily leverage it to target vulnerable instances. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable file `/htdocs/manageFilesFolders.php` in MiczFlor RPi-Jukebox-RFID versions up to 2.8.0. Additionally, you can use Google dorking with the query `inurl:htdocs/manageFilesFolders.php` to locate potentially vulnerable instances. Since the vulnerability involves cross-site scripting (XSS) via user-controllable input, testing the input fields in this file for XSS payloads can help detect it. Specific commands are not provided, but searching for the file and testing input sanitization is recommended. [2]
What immediate steps should I take to mitigate this vulnerability?
No official vendor response or mitigation measures have been provided. Immediate steps include replacing the vulnerable software with an alternative that is not affected by this vulnerability. Additionally, restricting access to the vulnerable file `/htdocs/manageFilesFolders.php` and implementing web application firewall (WAF) rules to block XSS payloads targeting this endpoint may help mitigate risk until a patch or fix is available. [2]