Active eavesdropper MIM::
With a MIM able to not only see, but also modify information exchanged between you and the server (eg: a proxy), I can intercept the first message and change the salt and nonce to zero values.
You will reply with a hash of your password with basically no extra data added to it. I can take this hash and look it up in a pre-computed table (lookup table or rainbow table) to see if I can find your password matching the hash.
Passive eavesdropper MIM:: Now, let's say I'm an observer only and cannot modify any data within your communication but still see it all.
Since I know your salt and nonce, I can attempt brute force or dictionary attacks on your password. This is probably more expensive but would still work in case your password is weak.
This should show you how important it is to exchange authentication information over a secure channel. The minimum requirement should be TLS with server certificate verification.
edit: server certificate verification includes certificate chain verification and server hostname verification (the host you're connecting to is the one listed in the server certificate). The latter is important to prevent MIM attacks.