Cyber Resilience

CVE-2020-37190

MediumPublic PoC

Published: 11 February 2026

Published
11 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 10.0th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-37190 is a medium-severity Classic Buffer Overflow (CWE-120) vulnerability in Top Password Firefox Password (inferred from references). Its CVSS base score is 4.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

Top Password Firefox Password Recovery 2.8 is affected by CVE-2020-37190, a denial of service vulnerability stemming from CWE-120 (buffer copy without checking size of input). The flaw allows attackers to crash the application by overflowing input fields, specifically by inserting 5000 characters into the User Name or Registration Code fields. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-02-11.

Unauthenticated attackers (PR:N) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). By submitting 5000 characters to the specified input fields, they can trigger a crash of the Top Password Firefox Password Recovery 2.8 application, resulting in a denial of service.

Advisories and related resources include a proof-of-concept exploit on Exploit-DB (https://www.exploit-db.com/exploits/47912), the vendor's website (https://www.top-password.com/), and a VulnCheck advisory detailing the denial of service issue (https://www.vulncheck.com/advisories/top-password-firefox-password-recovery-denial-of-service). No specific patch or mitigation details are outlined in the core vulnerability data.

A proof-of-concept exploit is publicly available, indicating potential for demonstration or targeted denial of service attacks against affected installations of this legacy password recovery tool.

EU & UK References

Vulnerability details

Top Password Firefox Password Recovery 2.8 contains a denial of service vulnerability that allows attackers to crash the application by overflowing input fields. Attackers can trigger the vulnerability by inserting 5000 characters into the User Name or Registration Code input…

more

fields.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Buffer overflow in input fields directly enables application exploitation resulting in denial of service.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-20115Shared CWE-120
CVE-2020-37205Shared CWE-120
CVE-2026-28875Shared CWE-120
CVE-2020-37194Shared CWE-120
CVE-2020-37180Shared CWE-120
CVE-2024-24419Shared CWE-120
CVE-2019-25353Shared CWE-120
CVE-2026-30075Shared CWE-120
CVE-2020-37213Shared CWE-120
CVE-2021-47798Shared CWE-120

Affected Assets

Top Password
Firefox Password
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents the buffer overflow DoS in CVE-2020-37190 by validating length and content of User Name and Registration Code input fields.

prevent

Remediates the specific CWE-120 buffer copy flaw in Top Password Firefox Password Recovery 2.8 through timely patching or equivalent fixes.

preventdetect

Protects against the unauthenticated network-based DoS crash triggered by oversized inputs in CVE-2020-37190.

References