Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A security vulnerability has been detected in BDCOM P3310D 0.4.2 10.1.0F Build 86345. This impacts an unknown function of the component New RMON History Page. The manipulation of the argument Owner leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Reflected cross-site scripting (XSS) in BDCOM P3310D 0.4.2 build 10.1.0F-86345 allows authenticated remote attackers with high privileges to inject malicious scripts via the Owner parameter on the New RMON History Page, requiring user interaction to execute. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.
Technical ContextAI
The vulnerability exists in the New RMON History Page component of BDCOM P3310D network device management interface. The affected parameter 'Owner' is not properly sanitized or encoded before being reflected in the HTTP response, allowing injection of arbitrary HTML and JavaScript. This is a classic reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) where untrusted input derived from the Owner argument is included in dynamically generated web content without appropriate escaping. The vulnerability affects the web-based management interface of this network equipment, accessible via the network attack vector (AV:N in CVSS 4.0 vector).
RemediationAI
No vendor-released patch identified at time of analysis due to vendor non-responsiveness. Organizations must implement compensating controls: restrict network access to the P3310D management interface using firewall rules to allow only trusted administrator IP addresses or subnets; disable remote access to the management interface if local management suffices; use a reverse proxy or VPN gateway requiring multi-factor authentication for remote administrative access; implement HTTP security headers (Content-Security-Policy, X-XSS-Protection) if the web interface supports them; consider replacing or isolating the device if it cannot be adequately segmented from untrusted networks. Each mitigation has trade-offs: access restrictions may complicate remote support, VPN gateways add infrastructure overhead, and device replacement incurs capital cost. Monitor BDCOM security advisories for future patches, and consider escalating this issue through BDCOM's formal vulnerability disclosure process or reporting body if vendor contact fails.
Reflected cross-site scripting (XSS) in BDCOM P3310D 0.4.2 Build 86345 via the Owner parameter on the New RMON Statistic
Stored cross-site scripting (XSS) in BDCOM P3310D 0.4.2 build 86345 allows authenticated remote attackers to inject mali
Reflected cross-site scripting (XSS) in BDCOM P3310D 0.4.2 10.1.0F Build 86345 allows high-privileged authenticated user
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25676