Skip to main content

BDCOM P3310D CVE-2026-6998

| EUVDEUVD-2026-25675 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-04-25 VulDB
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
4.8 (MEDIUM) 1.9 (LOW)
Severity Changed
Apr 25, 2026 - 21:22 NVD
LOW MEDIUM
CVSS changed
Apr 25, 2026 - 21:22 NVD
2.4 (LOW) 4.8 (MEDIUM)
Analysis Generated
Apr 25, 2026 - 21:00 vuln.today
EUVD ID Assigned
Apr 25, 2026 - 20:30 euvd
EUVD-2026-25675
Analysis Generated
Apr 25, 2026 - 20:30 vuln.today
CVE Published
Apr 25, 2026 - 20:15 nvd
LOW 1.9

DescriptionCVE.org

A vulnerability was detected in BDCOM P3310D 0.4.2 10.1.0F Build 86345. Affected is an unknown function of the component New RMON Statistics Page. The manipulation of the argument Owner results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Reflected cross-site scripting (XSS) in BDCOM P3310D 0.4.2 Build 86345 via the Owner parameter on the New RMON Statistics Page allows authenticated remote attackers to inject malicious scripts. The vulnerability requires user interaction (clicking a crafted link) and high-privilege access to exploit, limiting real-world risk despite public exploit availability. The vendor has not responded to disclosure attempts.

Technical ContextAI

The vulnerability exists in the New RMON Statistics Page component of BDCOM P3310D network switch firmware, where user-supplied input to the Owner parameter is not properly sanitized before being reflected in HTTP responses. This is a classic reflected XSS (CWE-79: Improper Neutralization of Input During Web Page Generation) where an attacker crafts a malicious URL containing JavaScript in the Owner field, and the application echoes it back to the user's browser without encoding. The Remote Monitoring (RMON) MIB (Management Information Base) is a standard network management protocol, and the Statistics Page is a web-based management interface for configuring monitoring parameters.

RemediationAI

No vendor-released patch has been identified at time of analysis; BDCOM did not respond to early disclosure attempts according to the vulnerability report. Immediate remediation requires restricting access to the RMON Statistics Page and management interface: disable web-based management if not required for operations, restrict management interface access to a dedicated administrative VLAN with firewall rules limiting access by source IP, enforce strong authentication (change default credentials if present), and monitor for suspicious links in administrative channels. If the P3310D must remain in service with web management enabled, apply input validation and output encoding at the web application layer if firmware updates can be applied; otherwise, use a reverse proxy or WAF (Web Application Firewall) to filter requests to the RMON Statistics page with rules blocking suspicious Owner parameter values (e.g., HTML/JavaScript keywords). Given vendor non-responsiveness, evaluate replacing the device with a supported alternative or using it in a highly isolated, read-only monitoring role.

Share

CVE-2026-6998 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy