Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A vulnerability was detected in BDCOM P3310D 0.4.2 10.1.0F Build 86345. Affected is an unknown function of the component New RMON Statistics Page. The manipulation of the argument Owner results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Reflected cross-site scripting (XSS) in BDCOM P3310D 0.4.2 Build 86345 via the Owner parameter on the New RMON Statistics Page allows authenticated remote attackers to inject malicious scripts. The vulnerability requires user interaction (clicking a crafted link) and high-privilege access to exploit, limiting real-world risk despite public exploit availability. The vendor has not responded to disclosure attempts.
Technical ContextAI
The vulnerability exists in the New RMON Statistics Page component of BDCOM P3310D network switch firmware, where user-supplied input to the Owner parameter is not properly sanitized before being reflected in HTTP responses. This is a classic reflected XSS (CWE-79: Improper Neutralization of Input During Web Page Generation) where an attacker crafts a malicious URL containing JavaScript in the Owner field, and the application echoes it back to the user's browser without encoding. The Remote Monitoring (RMON) MIB (Management Information Base) is a standard network management protocol, and the Statistics Page is a web-based management interface for configuring monitoring parameters.
RemediationAI
No vendor-released patch has been identified at time of analysis; BDCOM did not respond to early disclosure attempts according to the vulnerability report. Immediate remediation requires restricting access to the RMON Statistics Page and management interface: disable web-based management if not required for operations, restrict management interface access to a dedicated administrative VLAN with firewall rules limiting access by source IP, enforce strong authentication (change default credentials if present), and monitor for suspicious links in administrative channels. If the P3310D must remain in service with web management enabled, apply input validation and output encoding at the web application layer if firmware updates can be applied; otherwise, use a reverse proxy or WAF (Web Application Firewall) to filter requests to the RMON Statistics page with rules blocking suspicious Owner parameter values (e.g., HTML/JavaScript keywords). Given vendor non-responsiveness, evaluate replacing the device with a supported alternative or using it in a highly isolated, read-only monitoring role.
Reflected cross-site scripting (XSS) in BDCOM P3310D 0.4.2 build 10.1.0F-86345 allows authenticated remote attackers wit
Stored cross-site scripting (XSS) in BDCOM P3310D 0.4.2 build 86345 allows authenticated remote attackers to inject mali
Reflected cross-site scripting (XSS) in BDCOM P3310D 0.4.2 10.1.0F Build 86345 allows high-privileged authenticated user
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25675