Description
A vulnerability was found in Datacom DM4100 1.3.6.1.4.1.3709. This affects an unknown part of the component Ethernet Configuration Page. Performing a manipulation of the argument Name results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-25
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting
Action: Assess Impact
AI Analysis

Impact

The vulnerability is a cross‑site scripting flaw in the Ethernet Configuration Page of Datacom DM4100. Manipulating the Name argument allows a remote attacker to inject and execute arbitrary script in the web interface, potentially hijacking user sessions, stealing credentials, or defacing the management portal. The weakness is reflected by CWE‑79 and CWE‑94, and an exploit that is publicly available has already been circulating. The vendor did not respond to disclosure, leaving no official fix public.

Affected Systems

The affected device is the Datacom DM4100 running firmware 1.3.6.1.4.1.3709. No other vendors, products, or versions have been reported as impacted in the CVE record. The vulnerable component is the Ethernet Configuration Page of this firmware.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. The EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is currently low, and the vulnerability is not listed in CISA’s KEV catalog. However, the flaw is exploitable remotely via a crafted web request to the configuration interface, requiring only network connectivity to the device’s management port. If exploited, an attacker could execute scripts with the privileges of the web interface, affecting confidentiality, integrity, and availability of the device’s configuration and potentially the broader network.

Generated by OpenCVE AI on April 28, 2026 at 05:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Enable authentication and role‑based access control on the DM4100 web console, ensuring only authorized administrators can access the Ethernet Configuration Page.
  • Limit exposure of the management interface by restricting allowed IP ranges or VPN access and blocking all other traffic to the device’s management port.
  • If a firmware update that removes the XSS flaw is not available, consider disabling the Ethernet Configuration feature or replacing the device with a newer model that includes the patch.

Generated by OpenCVE AI on April 28, 2026 at 05:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Datacom
Datacom dm4100
Vendors & Products Datacom
Datacom dm4100

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Datacom DM4100 1.3.6.1.4.1.3709. This affects an unknown part of the component Ethernet Configuration Page. Performing a manipulation of the argument Name results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Datacom DM4100 Ethernet Configuration cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Datacom Dm4100
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T13:29:36.608Z

Reserved: 2026-04-24T20:17:23.235Z

Link: CVE-2026-7001

cve-icon Vulnrichment

Updated: 2026-04-27T13:27:54.354Z

cve-icon NVD

Status : Deferred

Published: 2026-04-25T22:16:19.647

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7001

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:30:23Z

Weaknesses