CVE-2020-37215
Awaiting Analysis Awaiting Analysis - Queue
Denial of Service via Oversized Input in MSN Password Recovery

Publication date: 2026-02-11

Last updated on: 2026-02-12

Assigner: VulnCheck

Description
MSN Password Recovery version 1.30 contains a denial of service vulnerability that allows attackers to crash the application by supplying an oversized input in the registration code field. Attackers can generate a 9000-byte buffer of repeated characters and paste it into the 'User Name and Registration Code' field to trigger an application crash.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-11
Last Modified
2026-02-12
Generated
2026-06-16
AI Q&A
2026-02-11
EPSS Evaluated
2026-06-14
NVD
CVE-2020-37215
EUVD
EUVD-2020-31174
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
top_password msn_password_recovery 1.30
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "MSN Password Recovery version 1.30 contains a denial of service (DoS) vulnerability caused by a buffer overflow. This happens because the application does not properly check the size of the input in the 'User Name and Registration Code' field."}, {'type': 'paragraph', 'content': 'An attacker can supply an oversized input, specifically a 9000-byte buffer of repeated characters, which causes the application to crash when processing this input.'}, {'type': 'paragraph', 'content': 'This vulnerability is classified under CWE-120 (Buffer Copy without Checking Size of Input), indicating a classic buffer overflow issue.'}] [1, 2]

Impact Analysis

The primary impact of this vulnerability is a denial of service condition where the MSN Password Recovery application crashes and becomes unavailable.

An attacker with local access and the ability to interact with the user interface can trigger this crash by inputting a specially crafted oversized registration code.

This can disrupt normal use of the application, potentially preventing legitimate users from recovering passwords until the application is restarted or fixed.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by attempting to reproduce the denial of service condition on the MSN Password Recovery version 1.30 application. Specifically, an oversized input of 9000 repeated characters can be supplied to the 'User Name and Registration Code' field to trigger the crash."}, {'type': 'list_item', 'content': "Generate a file containing 9000 repeated characters (e.g., 'A')."}, {'type': 'list_item', 'content': 'Copy the contents of this file to the clipboard.'}, {'type': 'list_item', 'content': "Launch MSN Password Recovery 1.30 and paste the contents into the 'User Name and Registration Code' input field."}, {'type': 'list_item', 'content': "Click 'OK' and observe if the application crashes, indicating the presence of the vulnerability."}] [2]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of MSN Password Recovery version 1.30 or restricting access to it, as the vulnerability requires local user interaction to trigger.

Since the vulnerability is triggered by oversized input in the registration code field, do not allow untrusted users to interact with the application or input data into this field.

Monitor and control local access to the system running MSN Password Recovery to prevent exploitation.

Check for any updates or patches from the vendor that address this buffer overflow vulnerability and apply them as soon as they become available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-37215. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart