CVE-2025-10370

LOW

sourcefabric rpi-jukebox-rfid < 2.8.0 - Cross-Site Scripting via Custom Script Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-10370. PoCs published by Beatriz Fresno Naumova.

AI-analyzed exploit summary This PoC demonstrates a stored XSS vulnerability in RPi-Jukebox-RFID 2.8.0 via the 'customScript' parameter in userScripts.php. The payload injects arbitrary JavaScript, which executes when the page is rendered.

Description

A vulnerability was identified in MiczFlor RPi-Jukebox-RFID up to 2.8.0. This vulnerability affects unknown code of the file /htdocs/userScripts.php. The manipulation of the argument Custom script leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Exploits (1)

exploitdb WORKING POC

by Beatriz Fresno Naumova · pythonwebappsmultiple

https://www.exploit-db.com/exploits/52470

View Code ZIP pw:eip

This PoC demonstrates a stored XSS vulnerability in RPi-Jukebox-RFID 2.8.0 via the 'customScript' parameter in userScripts.php. The payload injects arbitrary JavaScript, which executes when the page is rendered.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: RPi-Jukebox-RFID v2.8.0

No auth needed

Prerequisites: Network access to the target device · The userScripts.php page must be accessible

MITRE ATT&CK