CVE-2025-10369
BaseFortify
Publication date: 2025-09-13
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcefabric | rpi-jukebox-rfid | to 2.8.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10369 is a Cross-Site Scripting (XSS) vulnerability in MiczFlor RPi-Jukebox-RFID up to version 2.8.0, specifically in the file /htdocs/cardRegisterNew.php. It occurs because user input is not properly neutralized before being included in the web page output, allowing an attacker to inject arbitrary JavaScript code. This malicious code executes in the victim's browser when they access the affected page, potentially leading to session hijacking, defacement, or other client-side attacks. The attack can be executed remotely and requires some user interaction. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code in your users' browsers. This can lead to session hijacking, defacement of the web interface, or other client-side attacks that compromise the integrity of the application and potentially the security of user data. Since the attack is remote and publicly disclosed, it increases the risk of exploitation if the vulnerable software is in use. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable file `/htdocs/cardRegisterNew.php` in MiczFlor RPi-Jukebox-RFID versions up to 2.8.0. Additionally, vulnerable targets can be identified using Google dorking with the query `inurl:htdocs/cardRegisterNew.php`. Since the vulnerability involves cross-site scripting (XSS), testing for injection of arbitrary JavaScript code into the input parameters processed by this PHP script can help detect exploitation. Specific commands to detect the vulnerable file or service could include scanning your web server for the file, e.g., using `find /var/www -name cardRegisterNew.php` or using curl to test the page for XSS payloads, e.g., `curl -G --data-urlencode "param=<script>alert(1)</script>" http://yourserver/htdocs/cardRegisterNew.php` and observing if the script is executed or reflected. [3]
What immediate steps should I take to mitigate this vulnerability?
There are no known vendor fixes or mitigations currently available for this vulnerability, as the vendor did not respond to the disclosure. Immediate steps include replacing the affected product with an alternative solution that is not vulnerable. Additionally, as a temporary mitigation, you can restrict access to the vulnerable script `/htdocs/cardRegisterNew.php` by limiting network access, applying web application firewall (WAF) rules to block malicious input patterns, or disabling the affected functionality if possible. [3]