Skip to main content

BDCOM P3310D CVE-2026-6997

| EUVDEUVD-2026-25676 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-04-25 VulDB
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
4.8 (MEDIUM) 1.9 (LOW)
Analysis Generated
Apr 25, 2026 - 20:30 vuln.today
Severity Changed
Apr 25, 2026 - 20:22 NVD
LOW MEDIUM
CVSS changed
Apr 25, 2026 - 20:22 NVD
2.4 (LOW) 4.8 (MEDIUM)
EUVD ID Assigned
Apr 25, 2026 - 20:15 euvd
EUVD-2026-25676
Analysis Generated
Apr 25, 2026 - 20:15 vuln.today
CVE Published
Apr 25, 2026 - 20:00 nvd
LOW 1.9

DescriptionCVE.org

A security vulnerability has been detected in BDCOM P3310D 0.4.2 10.1.0F Build 86345. This impacts an unknown function of the component New RMON History Page. The manipulation of the argument Owner leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Reflected cross-site scripting (XSS) in BDCOM P3310D 0.4.2 build 10.1.0F-86345 allows authenticated remote attackers with high privileges to inject malicious scripts via the Owner parameter on the New RMON History Page, requiring user interaction to execute. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.

Technical ContextAI

The vulnerability exists in the New RMON History Page component of BDCOM P3310D network device management interface. The affected parameter 'Owner' is not properly sanitized or encoded before being reflected in the HTTP response, allowing injection of arbitrary HTML and JavaScript. This is a classic reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) where untrusted input derived from the Owner argument is included in dynamically generated web content without appropriate escaping. The vulnerability affects the web-based management interface of this network equipment, accessible via the network attack vector (AV:N in CVSS 4.0 vector).

RemediationAI

No vendor-released patch identified at time of analysis due to vendor non-responsiveness. Organizations must implement compensating controls: restrict network access to the P3310D management interface using firewall rules to allow only trusted administrator IP addresses or subnets; disable remote access to the management interface if local management suffices; use a reverse proxy or VPN gateway requiring multi-factor authentication for remote administrative access; implement HTTP security headers (Content-Security-Policy, X-XSS-Protection) if the web interface supports them; consider replacing or isolating the device if it cannot be adequately segmented from untrusted networks. Each mitigation has trade-offs: access restrictions may complicate remote support, VPN gateways add infrastructure overhead, and device replacement incurs capital cost. Monitor BDCOM security advisories for future patches, and consider escalating this issue through BDCOM's formal vulnerability disclosure process or reporting body if vendor contact fails.

Share

CVE-2026-6997 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy