Description
A flaw has been found in BIVOCOM TR321 21.1.1.50. Affected by this vulnerability is an unknown functionality of the component Wireless Setting. This manipulation of the argument Network Name SSID causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. You should upgrade the affected component.
Published: 2026-04-25
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw has been found in BIVOCOM TR321 firmware 21.1.1.50. The Wireless Setting component’s Network Name (SSID) argument can be manipulated, causing cross‑site scripting. This flaw can be exploited remotely, and the code to perform the attack has been published. The vulnerability permits a remote attacker to inject arbitrary scripts into the device’s web UI, potentially compromising confidentiality and integrity of the device’s configuration and session information. The weakness is rooted in improper input validation and output encoding, as identified by CWE‑79 and CWE‑94.

Affected Systems

The vulnerability affects BIVOCOM TR321 devices running firmware 21.1.1.50, specifically the Wireless Setting feature that processes the SSID parameter. No other product versions or vendors are listed as impacted.

Risk and Exploitability

The CVSS rating of 4.8 places this flaw in the low‑severity range, and the EPSS score of less than 1% indicates a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, and the vendor has released an update that addresses this vulnerability. However, the exploit code has been published and can be used remotely by manipulating the SSID input over the wireless interface. Attackers could potentially trigger the flaw by sending crafted packets to the device, making the attack vector likely remote and network‑based.

Generated by OpenCVE AI on May 14, 2026 at 10:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement input validation and output encoding for the SSID field to prevent script injection
  • Apply any available firmware update from BIVOCOM that addresses the Wireless Setting XSS flaw, or await a vendor patch
  • Segregate the device on a protected network segment and restrict remote HTTP access with a firewall or VPN to limit exposure

Generated by OpenCVE AI on May 14, 2026 at 10:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 09:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in BIVOCOM TR321 21.1.1.50. Affected by this vulnerability is an unknown functionality of the component Wireless Setting. This manipulation of the argument Network Name SSID causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. A flaw has been found in BIVOCOM TR321 21.1.1.50. Affected by this vulnerability is an unknown functionality of the component Wireless Setting. This manipulation of the argument Network Name SSID causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. You should upgrade the affected component.
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

 cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Bivocom
Bivocom tr321
Vendors & Products Bivocom
Bivocom tr321

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in BIVOCOM TR321 21.1.1.50. Affected by this vulnerability is an unknown functionality of the component Wireless Setting. This manipulation of the argument Network Name SSID causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title BIVOCOM TR321 Wireless Setting cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Bivocom Tr321
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-14T08:50:44.556Z

Reserved: 2026-04-24T20:10:12.113Z

Link: CVE-2026-6999

cve-icon Vulnrichment

Updated: 2026-04-27T17:08:31.909Z

cve-icon NVD

Status : Deferred

Published: 2026-04-25T21:16:19.667

Modified: 2026-05-14T09:16:28.170

Link: CVE-2026-6999

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T11:00:12Z

Weaknesses