CVE-2010-0172

toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js in the asynchronous Authorization Prompt implementation in Mozilla Firefox 3.6 before 3.6.2 does not properly handle concurrent authorization requests from multiple web sites, which might allow remote web servers to spoof an authorization dialog and capture credentials by demanding HTTP authentication in opportunistic circumstances.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.mozilla.org/security/announce/2010/mfsa2010-15.html	Patch
https://bugzilla.mozilla.org/show_bug.cgi?id=537862
http://www.securityfocus.com/bid/38918
http://www.vupen.com/english/advisories/2010/0692
http://www.mandriva.com/security/advisories?name=MDVSA-2010:070
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8281

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:mozilla:firefox:3.6:*:*:*:*:*:*:*

Information

Published : 2010-03-25 14:00

Updated : 2017-09-18 18:30

NVD link : CVE-2010-0172

Mitre link : CVE-2010-0172

JSON object : View

CWE

NVD-CWE-Other

Advertisement

Products Affected

mozilla

firefox

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.mozilla.org/security/announce/2010/mfsa2010-15.html", "name": "http://www.mozilla.org/security/announce/2010/mfsa2010-15.html", "tags": ["Patch"], "refsource": "CONFIRM"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=537862", "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=537862", "tags": [], "refsource": "CONFIRM"}, {"url": "http://www.securityfocus.com/bid/38918", "name": "38918", "tags": [], "refsource": "BID"}, {"url": "http://www.vupen.com/english/advisories/2010/0692", "name": "ADV-2010-0692", "tags": [], "refsource": "VUPEN"}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:070", "name": "MDVSA-2010:070", "tags": [], "refsource": "MANDRIVA"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8281", "name": "oval:org.mitre.oval:def:8281", "tags": [], "refsource": "OVAL"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js in the asynchronous Authorization Prompt implementation in Mozilla Firefox 3.6 before 3.6.2 does not properly handle concurrent authorization requests from multiple web sites, which might allow remote web servers to spoof an authorization dialog and capture credentials by demanding HTTP authentication in opportunistic circumstances."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2010-0172", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2010-03-25T21:00Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:mozilla:firefox:3.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-09-19T01:30Z"}