CVE-2020-37192

MEDIUM

MSN Password Recovery 1.30 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37192. PoCs published by ZwX.

AI-analyzed exploit summary This exploit demonstrates an XML External Entity (XXE) injection vulnerability in MSN Password Recovery 1.30, allowing an attacker to read arbitrary files from the target system by leveraging a malicious DTD file hosted on a local server.

Description

MSN Password Recovery 1.30 contains an XML external entity injection vulnerability that allows attackers to read local system files through crafted XML input. Attackers can exploit the 'Favorites' tab by injecting a malicious XML file that references external entities to retrieve sensitive system configuration information.

Exploits (1)

exploitdb WORKING POC
by ZwX · textlocalxml
https://www.exploit-db.com/exploits/47896

This exploit demonstrates an XML External Entity (XXE) injection vulnerability in MSN Password Recovery 1.30, allowing an attacker to read arbitrary files from the target system by leveraging a malicious DTD file hosted on a local server.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: MSN Password Recovery 1.30
No auth needed
Prerequisites: Local HTTP server to host payload.dtd · Ability to modify the 'Favorites' path in the target software
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/47896
Various Sources product
https://www.top-password.com/

Scores

CVSS v3 6.2
EPSS 0.0021
EPSS Percentile 10.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-611
Status published
Products (1)
Top Password Software/MSN Password Recovery 1.30
Published Feb 11, 2026
Tracked Since Feb 18, 2026