CVE-2025-10370
BaseFortify
Publication date: 2025-09-13
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcefabric | rpi-jukebox-rfid | to 2.8.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Scripting (XSS) flaw in MiczFlor RPi-Jukebox-RFID up to version 2.8.0, specifically in the file /htdocs/userScripts.php. It occurs because the application improperly handles user input in the 'Custom script' argument, allowing an attacker to inject arbitrary JavaScript code. This malicious code can then be executed in the victim's browser, potentially leading to unauthorized actions or data theft. The attack can be carried out remotely and requires the victim to interact with the malicious script. [1, 2]
How can this vulnerability impact me? :
The vulnerability can allow attackers to execute arbitrary JavaScript in the context of the victim's browser, which may lead to unauthorized actions such as stealing sensitive information, hijacking user sessions, or performing actions on behalf of the user without their consent. Since the exploit is publicly available and easy to perform, it increases the risk of exploitation. However, the severity is considered low to moderate based on the CVSS score. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable file /htdocs/userScripts.php in MiczFlor RPi-Jukebox-RFID versions up to 2.8.0. Additionally, vulnerable targets can be identified using Google dorking with the query "inurl:htdocs/userScripts.php". There is no specific command-line detection tool mentioned, but searching for the file or using web vulnerability scanners to test for cross-site scripting in the Custom script parameter could help detect it. [2]
What immediate steps should I take to mitigate this vulnerability?
No official mitigation or countermeasures are currently known, and the vendor did not respond to disclosure attempts. Immediate steps include considering replacing the affected product with an alternative until a fix is available. Additionally, restricting access to the vulnerable endpoint and monitoring for exploitation attempts may help reduce risk. [2]