Skip to main content

BIVOCOM TR321 EUVDEUVD-2026-25673

| CVE-2026-6999 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-04-25 VulDB
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
4.8 (MEDIUM) 1.9 (LOW)
Analysis Generated
Apr 25, 2026 - 21:30 vuln.today
Severity Changed
Apr 25, 2026 - 21:22 NVD
LOW MEDIUM
CVSS changed
Apr 25, 2026 - 21:22 NVD
2.4 (LOW) 4.8 (MEDIUM)
EUVD ID Assigned
Apr 25, 2026 - 21:00 euvd
EUVD-2026-25673
Analysis Generated
Apr 25, 2026 - 21:00 vuln.today
CVE Published
Apr 25, 2026 - 20:45 nvd
LOW 1.9

DescriptionCVE.org

A flaw has been found in BIVOCOM TR321 21.1.1.50. Affected by this vulnerability is an unknown functionality of the component Wireless Setting. This manipulation of the argument Network Name SSID causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Cross-site scripting (XSS) vulnerability in BIVOCOM TR321 version 21.1.1.50 allows authenticated remote attackers with high privileges to inject malicious scripts via manipulation of the Network Name SSID parameter in the Wireless Setting component. The vulnerability requires user interaction to trigger and has limited integrity impact. Exploit code has been publicly published, though the vendor has not responded to disclosure attempts.

Technical ContextAI

The vulnerability exists in the Wireless Setting component of BIVOCOM TR321, a networking device firmware. The flaw is rooted in improper input validation or output encoding of the Network Name SSID parameter (CWE-79: Improper Neutralization of Input During Web Page Generation). When an attacker with high privilege credentials manipulates the SSID field, unsanitized user input is reflected in web responses without proper encoding, allowing arbitrary JavaScript execution in the context of authenticated administrators' browsers. This is a reflected XSS vulnerability affecting the device's web-based management interface.

RemediationAI

No vendor-released patch has been identified at time of analysis, and BIVOCOM has not responded to disclosure. Primary remediation options are: (1) Upgrade to a patched firmware version if available from BIVOCOM directly (verify with the vendor); (2) Restrict network access to the TR321 web management interface to trusted internal networks only, blocking external administrative access via firewall rules or network segmentation; (3) Enforce strong, unique passwords for all administrative accounts and implement multi-factor authentication if supported by the device firmware; (4) Disable remote administrative access if not operationally required, limiting management to local console or internal network access only; (5) Implement web application firewalls (WAF) or reverse proxies that sanitize SSID parameters in wireless configuration requests; (6) Monitor firmware release channels for security updates and apply them promptly once available. The trade-off of restricting remote access is reduced operational convenience for distributed administration but significantly lowers the attack surface. Given the vendor's non-responsiveness, organizations should escalate this through their support channels or consider alternative equipment vendors.

Share

EUVD-2026-25673 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy