CVE-2025-10369
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-13

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in MiczFlor RPi-Jukebox-RFID up to 2.8.0. This affects an unknown part of the file /htdocs/cardRegisterNew.php. Executing manipulation can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-13
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10369
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sourcefabric rpi-jukebox-rfid to 2.8.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-10369 is a Cross-Site Scripting (XSS) vulnerability in MiczFlor RPi-Jukebox-RFID up to version 2.8.0, specifically in the file /htdocs/cardRegisterNew.php. It occurs because user input is not properly neutralized before being included in the web page output, allowing an attacker to inject arbitrary JavaScript code. This malicious code executes in the victim's browser when they access the affected page, potentially leading to session hijacking, defacement, or other client-side attacks. The attack can be executed remotely and requires some user interaction. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code in your users' browsers. This can lead to session hijacking, defacement of the web interface, or other client-side attacks that compromise the integrity of the application and potentially the security of user data. Since the attack is remote and publicly disclosed, it increases the risk of exploitation if the vulnerable software is in use. [1, 3]

Detection Guidance

This vulnerability can be detected by checking for the presence of the vulnerable file `/htdocs/cardRegisterNew.php` in MiczFlor RPi-Jukebox-RFID versions up to 2.8.0. Additionally, vulnerable targets can be identified using Google dorking with the query `inurl:htdocs/cardRegisterNew.php`. Since the vulnerability involves cross-site scripting (XSS), testing for injection of arbitrary JavaScript code into the input parameters processed by this PHP script can help detect exploitation. Specific commands to detect the vulnerable file or service could include scanning your web server for the file, e.g., using `find /var/www -name cardRegisterNew.php` or using curl to test the page for XSS payloads, e.g., `curl -G --data-urlencode "param=<script>alert(1)</script>" http://yourserver/htdocs/cardRegisterNew.php` and observing if the script is executed or reflected. [3]

Mitigation Strategies

There are no known vendor fixes or mitigations currently available for this vulnerability, as the vendor did not respond to the disclosure. Immediate steps include replacing the affected product with an alternative solution that is not vulnerable. Additionally, as a temporary mitigation, you can restrict access to the vulnerable script `/htdocs/cardRegisterNew.php` by limiting network access, applying web application firewall (WAF) rules to block malicious input patterns, or disabling the affected functionality if possible. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10369. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart