Overview
CVE-2025-63229 describes a reflected Cross-Site Scripting (XSS) vulnerability discovered in the web management interface of the Mozart FM Transmitter. This vulnerability affects version WEBMOZZI-00287 of the firmware. By crafting a malicious URL with a specific query parameter, attackers can inject arbitrary JavaScript code into the victim’s browser, potentially leading to sensitive data theft, session hijacking, or other malicious activities.
Technical Details
The vulnerability resides within the /main0.php endpoint of the Mozart FM Transmitter’s web interface. The m query parameter is vulnerable to reflected XSS. Specifically, user-supplied input provided through the ?m= parameter is not properly sanitized or encoded before being reflected back to the user’s browser. An attacker can exploit this by injecting a JavaScript payload into the m parameter. When a user clicks on the malicious link or visits a compromised webpage containing the link, the JavaScript code is executed within their browser session, acting as if it originated from the legitimate Mozart FM Transmitter website.
Example Attack Vector:
http://[Mozart FM Transmitter IP]/main0.php?m=<script>alert('XSS Vulnerability!')</script>
CVSS Analysis
Unfortunately, a CVSS score and severity rating are not currently available for CVE-2025-63229. However, given that it’s a reflected XSS vulnerability, it’s typically considered a medium to high severity issue, especially if the web interface is used for sensitive configurations or management of the FM transmitter. A proper CVSS score is needed to fully gauge the impact. Factors influencing the CVSS score would include exploitability (attack vector, attack complexity, privileges required, user interaction) and impact (confidentiality, integrity, availability).
Possible Impact
Successful exploitation of this XSS vulnerability can lead to several negative consequences:
- Data Theft: An attacker can steal cookies, session tokens, and other sensitive information stored in the user’s browser, potentially gaining unauthorized access to the Mozart FM Transmitter’s settings or other related accounts.
- Session Hijacking: By stealing session cookies, an attacker can hijack the user’s active session and perform actions on their behalf, such as changing configurations or disrupting the FM transmitter’s operation.
- Malware Distribution: The injected JavaScript code can redirect the user to a malicious website or download malware onto their computer.
- Defacement: An attacker can modify the content of the web page displayed in the user’s browser, leading to defacement and reputational damage.
Mitigation or Patch Steps
The primary mitigation strategy is to update the Mozart FM Transmitter’s firmware to a version that addresses this vulnerability. Contact DB Broadcast for information regarding firmware updates.
In the absence of a patch, consider the following temporary workarounds:
- Input Validation and Encoding: Implement strict input validation and output encoding on the web management interface to prevent the injection of malicious code. (This would need to be done by the vendor, DB Broadcast)
- Web Application Firewall (WAF): Deploy a Web Application Firewall (WAF) to filter out malicious requests and protect the web interface from XSS attacks.
- Restrict Access: Limit access to the web management interface to only trusted users and networks.
