MiczFlor RPi-Jukebox-RFID Cross-Site Scripting Vulnerability in manageFilesFolders.php
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in MiczFlor RPi-Jukebox-RFID versions through 2.8.0. The issue resides in the file /htdocs/manageFilesFolders.php, where an unknown functionality allows for user input manipulation, leading to the injection of arbitrary JavaScript that is executed in the context of the user's browser. This vulnerability can be exploited remotely and has been made public.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the victim's browser.
Reproduction
To reproduce this vulnerability, access the manageFilesFolders.php file on a server running MiczFlor RPi-Jukebox-RFID version 2.8.0. Once the page is loaded, inject a script image (such as a base64-encoded image) into an input field that is processed by the server without proper sanitization. The injected script will execute in the browser, demonstrating the cross-site scripting vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.