CVE-2010-0172 - Vulnerability Details - OpenCVE

toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js in the asynchronous Authorization Prompt implementation in Mozilla Firefox 3.6 before 3.6.2 does not properly handle concurrent authorization requests from multiple web sites, which might allow remote web servers to spoof an authorization dialog and capture credentials by demanding HTTP authentication in opportunistic circumstances.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mozilla	Firefox

Configuration 1 [-]

cpe:2.3:a:mozilla:firefox:3.6:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.mandriva.com/security/advisories?name=MDVSA-2010:070
http://www.mozilla.org/security/announce/2010/mfsa2010-15.html
http://www.securityfocus.com/bid/38918
http://www.vupen.com/english/advisories/2010/0692
https://bugzilla.mozilla.org/show_bug.cgi?id=537862
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8281

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2010-03-25T20:31:00.000Z

Updated: 2024-08-07T00:37:54.085Z

Reserved: 2010-01-06T00:00:00.000Z

Link: CVE-2010-0172

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2010-03-25T21:00:00.627

Modified: 2025-04-11T00:51:21.963

Link: CVE-2010-0172

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2010-03-23T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js in the asynchronous Authorization Prompt implementation in Mozilla Firefox 3.6 before 3.6.2 does not properly handle concurrent authorization requests from multiple web sites, which might allow remote web servers to spoof an authorization dialog and capture credentials by demanding HTTP authentication in opportunistic circumstances."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-18T12:57:01.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "38918", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/38918"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.mozilla.org/security/announce/2010/mfsa2010-15.html"}, {"name": "oval:org.mitre.oval:def:8281", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8281"}, {"name": "MDVSA-2010:070", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:070"}, {"name": "ADV-2010-0692", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2010/0692"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=537862"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2010-0172", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js in the asynchronous Authorization Prompt implementation in Mozilla Firefox 3.6 before 3.6.2 does not properly handle concurrent authorization requests from multiple web sites, which might allow remote web servers to spoof an authorization dialog and capture credentials by demanding HTTP authentication in opportunistic circumstances."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "38918", "refsource": "BID", "url": "http://www.securityfocus.com/bid/38918"}, {"name": "http://www.mozilla.org/security/announce/2010/mfsa2010-15.html", "refsource": "CONFIRM", "url": "http://www.mozilla.org/security/announce/2010/mfsa2010-15.html"}, {"name": "oval:org.mitre.oval:def:8281", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8281"}, {"name": "MDVSA-2010:070", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:070"}, {"name": "ADV-2010-0692", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2010/0692"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=537862", "refsource": "CONFIRM", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=537862"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T00:37:54.085Z"}, "title": "CVE Program Container", "references": [{"name": "38918", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/38918"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.mozilla.org/security/announce/2010/mfsa2010-15.html"}, {"name": "oval:org.mitre.oval:def:8281", "tags": ["vdb-entry", "signature", "x_refsource_OVAL", "x_transferred"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8281"}, {"name": "MDVSA-2010:070", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:070"}, {"name": "ADV-2010-0692", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2010/0692"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=537862"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2010-0172", "datePublished": "2010-03-25T20:31:00.000Z", "dateReserved": "2010-01-06T00:00:00.000Z", "dateUpdated": "2024-08-07T00:37:54.085Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:3.6:*:*:*:*:*:*:*", "matchCriteriaId": "F3782354-7EB7-49D2-B240-1871F6CB84C7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js in the asynchronous Authorization Prompt implementation in Mozilla Firefox 3.6 before 3.6.2 does not properly handle concurrent authorization requests from multiple web sites, which might allow remote web servers to spoof an authorization dialog and capture credentials by demanding HTTP authentication in opportunistic circumstances."}, {"lang": "es", "value": "toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js en la implementaci\u00f3n Authorization Prompt en Mozilla Firefox v3.6 anterior a v3.6.2, no maneja adecuadamente las peticiones de autorizaci\u00f3n concurrentes para m\u00faltiples sitios web, lo que podr\u00eda permitir a servidores web remotos falsificar un cuadro de di\u00e1logo de autorizaci\u00f3n y capturar las credenciales mediante la demanda de una autenticaci\u00f3n HTTP en unas condiciones propicias."}], "id": "CVE-2010-0172", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2010-03-25T21:00:00.627", "references": [{"source": "cve@mitre.org", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:070"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.mozilla.org/security/announce/2010/mfsa2010-15.html"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/38918"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2010/0692"}, {"source": "cve@mitre.org", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=537862"}, {"source": "cve@mitre.org", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8281"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:070"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.mozilla.org/security/announce/2010/mfsa2010-15.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/38918"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2010/0692"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=537862"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8281"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}