CVE-2020-37190
Published: 11 February 2026
Summary
CVE-2020-37190 is a medium-severity Classic Buffer Overflow (CWE-120) vulnerability in Top Password Firefox Password (inferred from references). Its CVSS base score is 4.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
Top Password Firefox Password Recovery 2.8 is affected by CVE-2020-37190, a denial of service vulnerability stemming from CWE-120 (buffer copy without checking size of input). The flaw allows attackers to crash the application by overflowing input fields, specifically by inserting 5000 characters into the User Name or Registration Code fields. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-02-11.
Unauthenticated attackers (PR:N) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). By submitting 5000 characters to the specified input fields, they can trigger a crash of the Top Password Firefox Password Recovery 2.8 application, resulting in a denial of service.
Advisories and related resources include a proof-of-concept exploit on Exploit-DB (https://www.exploit-db.com/exploits/47912), the vendor's website (https://www.top-password.com/), and a VulnCheck advisory detailing the denial of service issue (https://www.vulncheck.com/advisories/top-password-firefox-password-recovery-denial-of-service). No specific patch or mitigation details are outlined in the core vulnerability data.
A proof-of-concept exploit is publicly available, indicating potential for demonstration or targeted denial of service attacks against affected installations of this legacy password recovery tool.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-31142
Vulnerability details
Top Password Firefox Password Recovery 2.8 contains a denial of service vulnerability that allows attackers to crash the application by overflowing input fields. Attackers can trigger the vulnerability by inserting 5000 characters into the User Name or Registration Code input…
more
fields.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in input fields directly enables application exploitation resulting in denial of service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents the buffer overflow DoS in CVE-2020-37190 by validating length and content of User Name and Registration Code input fields.
Remediates the specific CWE-120 buffer copy flaw in Top Password Firefox Password Recovery 2.8 through timely patching or equivalent fixes.
Protects against the unauthenticated network-based DoS crash triggered by oversized inputs in CVE-2020-37190.