Description

Mozilla Firefox 1.0.4 and 1.0.5 does not choose the challenge with the strongest authentication scheme available as required by RFC2617, which might cause credentials to be sent in plaintext even if an encrypted channel is available.

References

http://securityreason.com/securityalert/8

http://www.osvdb.org/19002

http://www.securiteam.com/securitynews/5PP0L00GUQ.html

http://www.securityfocus.com/archive/1/405666

http://www.securityfocus.com/bid/14325

https://bugzilla.mozilla.org/show_bug.cgi?id=281851

https://exchange.xforce.ibmcloud.com/vulnerabilities/22272

Details

Risk Information

CVSS v2