Skip to main content

BDCOM P3310D CVE-2026-6996

| EUVDEUVD-2026-25672 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-04-25 VulDB
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
4.8 (MEDIUM) 1.9 (LOW)
Severity Changed
Apr 25, 2026 - 20:22 NVD
LOW MEDIUM
CVSS changed
Apr 25, 2026 - 20:22 NVD
2.4 (LOW) 4.8 (MEDIUM)
Analysis Generated
Apr 25, 2026 - 20:15 vuln.today
EUVD ID Assigned
Apr 25, 2026 - 20:00 euvd
EUVD-2026-25672
Analysis Generated
Apr 25, 2026 - 20:00 vuln.today
CVE Published
Apr 25, 2026 - 19:45 nvd
LOW 1.9

DescriptionCVE.org

A weakness has been identified in BDCOM P3310D 0.4.2 10.1.0F Build 86345. This affects an unknown function of the component rmon event Tab. Executing a manipulation of the argument Description can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stored cross-site scripting (XSS) in BDCOM P3310D 0.4.2 build 86345 allows authenticated remote attackers to inject malicious scripts via the Description parameter in the rmon event Tab component. The vulnerability requires high-privilege authentication and user interaction to trigger, limiting practical exploitation scope. Public exploit code is available; however, the low CVSS score (2.4) reflects the authentication barrier and limited confidentiality/availability impact.

Technical ContextAI

The vulnerability exists in the rmon event Tab component of BDCOM P3310D, a network management device. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates insufficient input validation and output encoding when processing the Description parameter. Attackers can inject arbitrary HTML and JavaScript that executes in the context of authenticated administrator sessions viewing the rmon event configuration interface. The affected platform runs firmware version 0.4.2 (build 86345 or potentially other builds in this version range).

RemediationAI

No vendor-released patch identified at time of analysis; vendor contact early in disclosure process resulted in no response. Organizations must implement compensating controls: (1) Restrict administrative access to P3310D web interface via firewall rules-permit access only from trusted management networks and block external access; (2) Implement network-based input filtering or WAF rules to sanitize special characters (angle brackets, quotes, script tags) in the Description parameter before reaching the rmon event Tab; (3) Deploy browser-level protections such as Content Security Policy (CSP) headers if the device supports HTTP header configuration, though this is unlikely on legacy network appliances; (4) Audit the rmon event Tab configuration regularly for suspicious injected content. As a last resort, disable the rmon event Tab feature entirely if it is not operationally required. Each mitigation trades convenience (restricted access reduces remote management flexibility; WAF adds latency; CSP may break legitimate scripts) against the low but non-zero insider risk this vulnerability represents.

Share

CVE-2026-6996 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy