CVE-2020-37109
Buffer Overflow in aSc TimeTables 2020.11.4 Causes DoS
Publication date: 2026-02-07
Last updated on: 2026-02-07
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| asc_timetables | asc_timetables | 2020.11.4 |
| asc_timetables | asc_timetables | 2021.6.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2020-37109 is a denial of service vulnerability in aSc TimeTables 2020.11.4 that occurs when an attacker inputs a very large buffer into the Subject title field. This large input, such as a 1000-character or even 10,000-character string, causes the application to crash or become unstable by overwriting the Subject title field and improperly handling resource allocation.'}, {'type': 'paragraph', 'content': "The vulnerability arises from the application's failure to limit or throttle the size of input in the Subject title, leading to resource exhaustion and application instability."}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact users by causing the aSc TimeTables application to crash or become unresponsive when a large buffer is pasted into the Subject title field. This results in a denial of service condition, making the application unavailable for legitimate users.
An attacker with local access and requiring user interaction can exploit this to disrupt scheduling operations, potentially causing downtime and loss of productivity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to reproduce the denial of service condition locally on the affected aSc TimeTables application version 2020.11.4. Specifically, an attacker or tester can input a large buffer (e.g., 1000 characters) into the Subject title field to see if the application crashes or becomes unstable.'}, {'type': 'paragraph', 'content': 'A practical detection method involves using the provided Python script from the exploit to generate a file containing a large buffer of characters, then copying and pasting this buffer into the Subject title field within the application.'}, {'type': 'list_item', 'content': 'Open aSc TimeTables 2020 application.'}, {'type': 'list_item', 'content': 'Select "New" from the File menu.'}, {'type': 'list_item', 'content': 'Enter any letter in the "Name of the School" field and click Next.'}, {'type': 'list_item', 'content': 'Click Next again in the subsequent window.'}, {'type': 'list_item', 'content': 'In Step 3, under "Subject," click "New."'}, {'type': 'list_item', 'content': 'Run the Python script to generate a file (e.g., "Tables.txt") containing 1000 \'Z\' characters.'}, {'type': 'list_item', 'content': 'Copy the content of "Tables.txt" and paste it into the "Subject title" field.'}, {'type': 'list_item', 'content': 'Click OK and observe if the application crashes or becomes unresponsive.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting user input length in the Subject title field to prevent excessively large buffers from being entered.
Additionally, ensure that only trusted users have access to the application to reduce the risk of exploitation, as the attack requires local user interaction.
If possible, update the application to a version where this vulnerability is fixed or apply any available patches from the vendor.
As a temporary workaround, monitor the application for crashes and restart it as needed while limiting input sizes.