Description
A security vulnerability has been detected in BDCOM P3310D 0.4.2 10.1.0F Build 86345. This impacts an unknown function of the component New RMON History Page. The manipulation of the argument Owner leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-25
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the New RMON History component of BDCOM P3310D firmware. Manipulation of the 'Owner' parameter allows an attacker to inject arbitrary scripts into the response. This can lead to client‑side code execution, which may compromise user sessions, steal credentials, or perform other malicious actions on the victim's browser. The attack requires sending a crafted request containing the malicious payload to the affected page, which is reachable remotely.

Affected Systems

Affected firmware is BDCOM P3310D version 0.4.2 10.1.0F Build 86345. No other versions are listed in the advisory. The vulnerability is specific to the New RMON History Page component.

Risk and Exploitability

The CVSS base score of 4.8 indicates moderate severity. The EPSS value of < 1% suggests a very low probability of exploitation at present, and the vulnerability is not currently listed in the CISA KEV catalog. However, the exploit was publicly disclosed and could be used by adversaries who can reach the device from the network. Because the attack vector is remote, the main prerequisite is network access to the device’s management interface. No authentication requirement is stated, so it is likely that the page is publicly accessible, increasing the overall risk.

Generated by OpenCVE AI on April 28, 2026 at 05:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device to a firmware version that contains an input validation fix for the Owner parameter, if available from BDCOM.
  • If a patch is not yet available, restrict access to the New RMON History page by enforcing network‑level authentication or firewall rules so only trusted management hosts can contact it.
  • Sanitize and escape the Owner input before rendering it on the page, or configure the web server to use a Content‑Security‑Policy header that blocks inline script execution.

Generated by OpenCVE AI on April 28, 2026 at 05:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Bdcom
Bdcom p3310d
Vendors & Products Bdcom
Bdcom p3310d

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in BDCOM P3310D 0.4.2 10.1.0F Build 86345. This impacts an unknown function of the component New RMON History Page. The manipulation of the argument Owner leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title BDCOM P3310D New RMON History cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Bdcom P3310d
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T13:34:03.853Z

Reserved: 2026-04-24T19:57:59.814Z

Link: CVE-2026-6997

cve-icon Vulnrichment

Updated: 2026-04-27T13:18:56.701Z

cve-icon NVD

Status : Deferred

Published: 2026-04-25T20:16:18.397

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6997

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:30:23Z

Weaknesses