CVE-2010-0172 - toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js in the asynchronous Authorization Promp

CVE-2010-0172

Summary

toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js in the asynchronous Authorization Prompt implementation in Mozilla Firefox 3.6 before 3.6.2 does not properly handle concurrent authorization requests from multiple web sites, which might allow remote web servers to spoof an authorization dialog and capture credentials by demanding HTTP authentication in opportunistic circumstances.

References

Vulnerable Configurations

cpe:2.3:a:mozilla:firefox:3.6:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:3.6:*:*:*:*:*:*:*

CVSS

Base:	4.3 (as of 19-09-2017 - 01:30)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:N/A:N

oval via4

accepted

2014-10-06T04:04:36.166-04:00

class

vulnerability

contributors

name J. Daniel Brown
organization DTCC
name Sergey Artykhov
organization ALTX-SOFT
name Sergey Artykhov
organization ALTX-SOFT
name Maria Mikhno
organization ALTX-SOFT
name Evgeniy Pavlov
organization ALTX-SOFT
name Evgeniy Pavlov
organization ALTX-SOFT
name Evgeniy Pavlov
organization ALTX-SOFT

definition_extensions

comment	Mozilla Firefox Mainline release is installed
oval	oval:org.mitre.oval:def:22259

description

family

windows

oval:org.mitre.oval:def:8281

status

accepted

submitted

2010-03-25T10:30:00.000-05:00

title

Mozilla Firefox Asynchronous HTTP Authorization Prompt Information Disclosure Vulnerability

version

refmap via4

bid	38918
confirm	http://www.mozilla.org/security/announce/2010/mfsa2010-15.html https://bugzilla.mozilla.org/show_bug.cgi?id=537862
mandriva	MDVSA-2010:070
vupen	ADV-2010-0692

Last major update

19-09-2017 - 01:30

Published

25-03-2010 - 21:00

Last modified

19-09-2017 - 01:30