CVE-2010-0172

toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js in the asynchronous Authorization Prompt implementation in Mozilla Firefox 3.6 before 3.6.2 does not properly handle concurrent authorization requests from multiple web sites, which might allow remote web servers to spoof an authorization dialog and capture credentials by demanding HTTP authentication in opportunistic circumstances.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.mandriva.com/security/advisories?name=MDVSA-2010:070
http://www.mozilla.org/security/announce/2010/mfsa2010-15.html	Patch
http://www.securityfocus.com/bid/38918
http://www.vupen.com/english/advisories/2010/0692
https://bugzilla.mozilla.org/show_bug.cgi?id=537862
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8281

Configurations

Configuration 1 (hide)

cpe:2.3:a:mozilla:firefox:3.6:*:*:*:*:*:*:*

History

No history.

Information

Published : 2010-03-25 21:00

Updated : 2024-02-28 11:41

NVD link : CVE-2010-0172

Mitre link : CVE-2010-0172

CVE.ORG link : CVE-2010-0172

JSON object : View

Products Affected

mozilla

firefox

CWE

NVD-CWE-Other

{"id": "CVE-2010-0172", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2010-03-25T21:00:00.627", "references": [{"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:070", "source": "cve@mitre.org"}, {"url": "http://www.mozilla.org/security/announce/2010/mfsa2010-15.html", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/38918", "source": "cve@mitre.org"}, {"url": "http://www.vupen.com/english/advisories/2010/0692", "source": "cve@mitre.org"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=537862", "source": "cve@mitre.org"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8281", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js in the asynchronous Authorization Prompt implementation in Mozilla Firefox 3.6 before 3.6.2 does not properly handle concurrent authorization requests from multiple web sites, which might allow remote web servers to spoof an authorization dialog and capture credentials by demanding HTTP authentication in opportunistic circumstances."}, {"lang": "es", "value": "toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js en la implementaci\u00f3n Authorization Prompt en Mozilla Firefox v3.6 anterior a v3.6.2, no maneja adecuadamente las peticiones de autorizaci\u00f3n concurrentes para m\u00faltiples sitios web, lo que podr\u00eda permitir a servidores web remotos falsificar un cuadro de di\u00e1logo de autorizaci\u00f3n y capturar las credenciales mediante la demanda de una autenticaci\u00f3n HTTP en unas condiciones propicias."}], "lastModified": "2017-09-19T01:30:15.563", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:3.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F3782354-7EB7-49D2-B240-1871F6CB84C7"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}