Description
A vulnerability was detected in BDCOM P3310D 0.4.2 10.1.0F Build 86345. Affected is an unknown function of the component New RMON Statistics Page. The manipulation of the argument Owner results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-25
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross Site Scripting via the Owner parameter in BDCOM P3310D’s New RMON Statistics Page
Action: Assess Impact
AI Analysis

Impact

The reported vulnerability resides in the New RMON Statistics Page of BDCOM P3310D. By supplying a crafted value for the Owner argument, an attacker can inject arbitrary script into the page. This cross‑site scripting fault allows execution of malicious JavaScript in the context of any user who views the page, enabling session hijacking, cookie theft, or defacement. The weakness is classified as CWE‑79 and CWE‑94.

Affected Systems

The affected vendor is BDCOM, product P3310D, versions including 0.4.2 10.1.0F Build 86345. Earlier or later build numbers are not explicitly enumerated in the advisory, so all releases around that build should be considered potentially vulnerable until a vendor update is released.

Risk and Exploitability

The CVSS base score of 4.8 indicates moderate severity, while the EPSS score of less than 1% suggests a low chance of exploitation currently. The vulnerability is not listed in CISA KEV, implying no known widespread attacks as of now. The attack vector is remote, relying on access to the P3310D web interface; a public or unprotected instance presents a higher risk. Once exploited, an attacker can inject client‑side code but the vulnerability does not grant direct control over the host.

Generated by OpenCVE AI on April 28, 2026 at 05:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑issued patch or firmware update for BDCOM P3310D that addresses the RMON Statistics XSS flaw.
  • If no patch exists, implement input validation or output encoding for the Owner query parameter to neutralise injected scripts.
  • Deploy a Web Application Firewall or enforce a Content Security Policy that restricts script execution on the affected page.
  • Immediately restrict or disable access to the New RMON Statistics Page until remediation is applied.

Generated by OpenCVE AI on April 28, 2026 at 05:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Bdcom
Bdcom p3310d
Vendors & Products Bdcom
Bdcom p3310d

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in BDCOM P3310D 0.4.2 10.1.0F Build 86345. Affected is an unknown function of the component New RMON Statistics Page. The manipulation of the argument Owner results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title BDCOM P3310D New RMON Statistics cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Bdcom P3310d
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T13:49:45.449Z

Reserved: 2026-04-24T19:58:02.951Z

Link: CVE-2026-6998

cve-icon Vulnrichment

Updated: 2026-04-27T13:49:39.812Z

cve-icon NVD

Status : Deferred

Published: 2026-04-25T21:16:18.383

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6998

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:30:23Z

Weaknesses