FKIE_CVE-2010-0172

Vulnerability from fkie_nvd - Published: 2010-03-25 21:00 - Updated: 2025-04-11 00:51
Severity ?
Summary
toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js in the asynchronous Authorization Prompt implementation in Mozilla Firefox 3.6 before 3.6.2 does not properly handle concurrent authorization requests from multiple web sites, which might allow remote web servers to spoof an authorization dialog and capture credentials by demanding HTTP authentication in opportunistic circumstances.
References
cve@mitre.orghttp://www.mandriva.com/security/advisories?name=MDVSA-2010:070
cve@mitre.orghttp://www.mozilla.org/security/announce/2010/mfsa2010-15.htmlPatch
cve@mitre.orghttp://www.securityfocus.com/bid/38918
cve@mitre.orghttp://www.vupen.com/english/advisories/2010/0692
cve@mitre.orghttps://bugzilla.mozilla.org/show_bug.cgi?id=537862
cve@mitre.orghttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8281
af854a3a-2127-422b-91ae-364da2661108http://www.mandriva.com/security/advisories?name=MDVSA-2010:070
af854a3a-2127-422b-91ae-364da2661108http://www.mozilla.org/security/announce/2010/mfsa2010-15.htmlPatch
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/38918
af854a3a-2127-422b-91ae-364da2661108http://www.vupen.com/english/advisories/2010/0692
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.mozilla.org/show_bug.cgi?id=537862
af854a3a-2127-422b-91ae-364da2661108https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8281
Impacted products
Vendor Product Version
mozilla firefox 3.6
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mozilla:firefox:3.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "F3782354-7EB7-49D2-B240-1871F6CB84C7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js in the asynchronous Authorization Prompt implementation in Mozilla Firefox 3.6 before 3.6.2 does not properly handle concurrent authorization requests from multiple web sites, which might allow remote web servers to spoof an authorization dialog and capture credentials by demanding HTTP authentication in opportunistic circumstances."
    },
    {
      "lang": "es",
      "value": "toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js en la implementaci\u00f3n Authorization Prompt  en Mozilla Firefox v3.6 anterior a v3.6.2, no maneja adecuadamente las peticiones de autorizaci\u00f3n concurrentes para m\u00faltiples sitios web, lo que podr\u00eda permitir a servidores web remotos falsificar un cuadro de di\u00e1logo de autorizaci\u00f3n y capturar las credenciales mediante la demanda de una autenticaci\u00f3n HTTP en unas condiciones propicias."
    }
  ],
  "id": "CVE-2010-0172",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2010-03-25T21:00:00.627",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:070"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://www.mozilla.org/security/announce/2010/mfsa2010-15.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/38918"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.vupen.com/english/advisories/2010/0692"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=537862"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8281"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:070"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.mozilla.org/security/announce/2010/mfsa2010-15.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/38918"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.vupen.com/english/advisories/2010/0692"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=537862"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8281"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.