Skip to main content

BDCOM P3310D CVE-2026-6995

| EUVDEUVD-2026-25671 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-04-25 VulDB
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
4.8 (MEDIUM) 1.9 (LOW)
Severity Changed
Apr 25, 2026 - 20:22 NVD
LOW MEDIUM
CVSS changed
Apr 25, 2026 - 20:22 NVD
2.4 (LOW) 4.8 (MEDIUM)
Analysis Generated
Apr 25, 2026 - 20:15 vuln.today
EUVD ID Assigned
Apr 25, 2026 - 20:00 euvd
EUVD-2026-25671
Analysis Generated
Apr 25, 2026 - 20:00 vuln.today
CVE Published
Apr 25, 2026 - 19:15 nvd
LOW 1.9

DescriptionCVE.org

A security flaw has been discovered in BDCOM P3310D 0.4.2 10.1.0F Build 86345. The impacted element is an unknown function of the file /index.asp of the component New User Page. Performing a manipulation of the argument User name results in cross site scripting. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Reflected cross-site scripting (XSS) in BDCOM P3310D 0.4.2 10.1.0F Build 86345 allows high-privileged authenticated users to inject malicious scripts via the User name parameter in the New User Page (/index.asp), affecting only the injecting user's session due to session-scoped impact. Public exploit code is available, but exploitation requires administrative credentials and user interaction (form submission), significantly limiting real-world attack surface despite the remote attack vector.

Technical ContextAI

The vulnerability exists in the New User Page component of BDCOM P3310D, specifically in the /index.asp file. The flaw stems from improper input validation on the User name parameter, a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) scenario. The application fails to sanitize or encode user-supplied input before reflecting it back in the HTTP response, enabling an attacker to inject arbitrary JavaScript code. This is a reflected XSS variant, meaning the malicious payload must be delivered to victims through crafted URLs or social engineering rather than stored permanently in the application database. The CVSS vector (AV:N/AC:L/PR:H/UI:R/S:U) indicates the vulnerability requires network access but is otherwise straightforward to trigger once an attacker has administrative credentials.

RemediationAI

No vendor-released patch is available at the time of analysis; the vendor did not respond to early disclosure attempts per the CVE description. Primary remediation options are: (1) Implement input validation and output encoding at the application level if source code access is available, specifically encoding the User name parameter with HTML entity encoding (e.g., converting < to &lt;, > to &gt;) before displaying it in the New User Page form; (2) Deploy a Web Application Firewall (WAF) with XSS filtering rules to detect and block requests containing script payloads in the User name parameter, though this adds latency and must be tuned to avoid false positives on legitimate admin names; (3) Restrict administrative access to the P3310D device to trusted networks only using network segmentation and access control lists (ACLs), limiting the scope of potential attackers with PR:H credentials; (4) Enforce strong administrative password policies and multi-factor authentication (MFA) on admin accounts to reduce the likelihood of credential compromise; (5) Monitor administrative account activity and audit logs for suspicious New User Page submissions. Organizations heavily dependent on this device should evaluate migration to alternative products with active vendor support. Compensation controls introduce trade-offs: WAF increases operational overhead; network segmentation may reduce device management flexibility; MFA may slow admin workflows. None of these are substitutes for a proper fix from the vendor.

Share

CVE-2026-6995 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy