Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A security flaw has been discovered in BDCOM P3310D 0.4.2 10.1.0F Build 86345. The impacted element is an unknown function of the file /index.asp of the component New User Page. Performing a manipulation of the argument User name results in cross site scripting. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Reflected cross-site scripting (XSS) in BDCOM P3310D 0.4.2 10.1.0F Build 86345 allows high-privileged authenticated users to inject malicious scripts via the User name parameter in the New User Page (/index.asp), affecting only the injecting user's session due to session-scoped impact. Public exploit code is available, but exploitation requires administrative credentials and user interaction (form submission), significantly limiting real-world attack surface despite the remote attack vector.
Technical ContextAI
The vulnerability exists in the New User Page component of BDCOM P3310D, specifically in the /index.asp file. The flaw stems from improper input validation on the User name parameter, a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) scenario. The application fails to sanitize or encode user-supplied input before reflecting it back in the HTTP response, enabling an attacker to inject arbitrary JavaScript code. This is a reflected XSS variant, meaning the malicious payload must be delivered to victims through crafted URLs or social engineering rather than stored permanently in the application database. The CVSS vector (AV:N/AC:L/PR:H/UI:R/S:U) indicates the vulnerability requires network access but is otherwise straightforward to trigger once an attacker has administrative credentials.
RemediationAI
No vendor-released patch is available at the time of analysis; the vendor did not respond to early disclosure attempts per the CVE description. Primary remediation options are: (1) Implement input validation and output encoding at the application level if source code access is available, specifically encoding the User name parameter with HTML entity encoding (e.g., converting < to <, > to >) before displaying it in the New User Page form; (2) Deploy a Web Application Firewall (WAF) with XSS filtering rules to detect and block requests containing script payloads in the User name parameter, though this adds latency and must be tuned to avoid false positives on legitimate admin names; (3) Restrict administrative access to the P3310D device to trusted networks only using network segmentation and access control lists (ACLs), limiting the scope of potential attackers with PR:H credentials; (4) Enforce strong administrative password policies and multi-factor authentication (MFA) on admin accounts to reduce the likelihood of credential compromise; (5) Monitor administrative account activity and audit logs for suspicious New User Page submissions. Organizations heavily dependent on this device should evaluate migration to alternative products with active vendor support. Compensation controls introduce trade-offs: WAF increases operational overhead; network segmentation may reduce device management flexibility; MFA may slow admin workflows. None of these are substitutes for a proper fix from the vendor.
Reflected cross-site scripting (XSS) in BDCOM P3310D 0.4.2 Build 86345 via the Owner parameter on the New RMON Statistic
Reflected cross-site scripting (XSS) in BDCOM P3310D 0.4.2 build 10.1.0F-86345 allows authenticated remote attackers wit
Stored cross-site scripting (XSS) in BDCOM P3310D 0.4.2 build 86345 allows authenticated remote attackers to inject mali
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25671