CVE-2020-37109
Published: 07 February 2026
Summary
CVE-2020-37109 is a medium-severity Classic Buffer Overflow (CWE-120) vulnerability in Asctimetables (inferred from references). Its CVSS base score is 6.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2020-37109 is a denial of service vulnerability in aSc TimeTables version 2020.11.4. The flaw involves a buffer overflow (CWE-120) in the Subject title field, where attackers can overwrite it with a large 1000-character buffer, causing the application to crash and resulting in potential instability.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), meaning it is exploitable remotely over the network with low attack complexity, no privileges or user interaction required, and high impact to availability with no effects on confidentiality or integrity. Any unauthenticated attacker can generate and paste the oversized buffer into the Subject title field to trigger the crash and deny service to the application.
Advisories and related resources, including those from VulnCheck at https://www.vulncheck.com/advisories/asc-timetables-denial-of-service, the vendor site at https://www.asctimetables.com/#!/home, and a proof-of-concept exploit at https://www.exploit-db.com/exploits/48133, provide further details on the issue. The CVE was published on 2026-02-07T00:15:54.433.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-31102
Vulnerability details
aSc TimeTables 2020.11.4 contains a denial of service vulnerability that allows attackers to crash the application by overwriting the Subject title field with a large buffer. Attackers can generate a 1000-character buffer and paste it into the Subject title to…
more
trigger an application crash and potential instability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in Subject title field directly enables application crash for DoS, matching T1499.004 (Application or System Exploitation) with remote unauthenticated trigger per CVSS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of Subject title input size/format to reject the 1000-character buffer before it reaches the vulnerable parsing routine.
Enforces memory bounds checking and protection mechanisms that would block the buffer overflow (CWE-120) from corrupting memory and crashing the process.
Provides denial-of-service protection controls that can limit the impact of resource-exhaustion or crash-inducing inputs on application availability.