Vulnerabilities ›

CVE-2020-37189

High

TaskCanvas 1.4.0 contains a denial of service vulnerability in the registration code input field that allows attackers to crash the application. Attackers can generate a 1000-character buffer payload

CWE-120 — Weakness Type

                    Published: Feb 11, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.5

🔗 NVD Official

📄 Description (English)

TaskCanvas 1.4.0 contains a denial of service vulnerability in the registration code input field that allows attackers to crash the application. Attackers can generate a 1000-character buffer payload and paste it into the registration field to trigger an application crash.

🤖 AI Executive Summary

TaskCanvas 1.4.0 contains a buffer overflow vulnerability (CWE-120) in the registration input field that allows unauthenticated attackers to crash the application by submitting oversized input. While no public exploit exists, the vulnerability is trivial to trigger and impacts application availability. Organizations using TaskCanvas should prioritize patching to prevent denial of service attacks.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 30, 2026 17:10

🇸🇦 Saudi Arabia Impact Assessment

TaskCanvas impact on Saudi organizations is limited as it appears to be a niche application. However, if deployed in government agencies (NCA), healthcare institutions, or educational organizations for task management, DoS attacks could disrupt critical workflows. The vulnerability is particularly concerning for organizations relying on TaskCanvas for internal process management where availability is critical. Saudi financial institutions and government entities should audit their software inventory for TaskCanvas usage.

🏢 Affected Saudi Sectors

Government Healthcare Education Telecommunications Enterprise Software Users

🎯 MITRE ATT&CK Techniques

T1499 - Endpoint Denial of Service T1499.004 - Application Exhaustion Flood T1190 - Exploit Public-Facing Application

⚖️ Saudi Risk Score (AI)

5.2

/ 10.0

🔧 Remediation Steps (English)

1. IMMEDIATE ACTIONS:

   - Identify all instances of TaskCanvas 1.4.0 in your environment

   - Implement network-level input validation to reject registration requests exceeding 256 characters

   - Monitor application logs for repeated registration attempts with large payloads



2. PATCHING:

   - Upgrade TaskCanvas to version 1.4.1 or later immediately

   - Test patches in non-production environment before deployment

   - Schedule patching during maintenance windows to minimize disruption



3. COMPENSATING CONTROLS (if patching delayed):

   - Deploy Web Application Firewall (WAF) rules to block registration requests with payloads >500 characters

   - Implement rate limiting on registration endpoint (max 5 attempts per minute per IP)

   - Enable application crash monitoring and auto-restart mechanisms

   - Restrict registration functionality to authenticated users only if possible



4. DETECTION:

   - Monitor for HTTP 400/500 errors on /register endpoint

   - Alert on registration requests with Content-Length headers >1000 bytes

   - Track application restart events correlated with registration attempts

   - Log rule: Alert if registration field input exceeds 256 characters

🔧 خطوات المعالجة (العربية)

1. الإجراءات الفورية:

   - تحديد جميع نسخ TaskCanvas 1.4.0 في بيئتك

   - تطبيق التحقق من صحة المدخلات على مستوى الشبكة لرفض طلبات التسجيل التي تتجاوز 256 حرفاً

   - مراقبة سجلات التطبيق لمحاولات التسجيل المتكررة برسائل كبيرة الحجم



2. التصحيح:

   - ترقية TaskCanvas إلى الإصدار 1.4.1 أو أحدث فوراً

   - اختبار التصحيحات في بيئة غير الإنتاج قبل النشر

   - جدولة التصحيح خلال نوافذ الصيانة لتقليل الانقطاع



3. الضوابط البديلة (إذا تأخر التصحيح):

   - نشر قواعد جدار حماية تطبيقات الويب لحجب طلبات التسجيل برسائل >500 حرف

   - تطبيق تحديد معدل على نقطة نهاية التسجيل (5 محاولات كحد أقصى في الدقيقة لكل عنوان IP)

   - تفعيل مراقبة تعطل التطبيق وآليات إعادة التشغيل التلقائي

   - تقييد وظيفة التسجيل للمستخدمين المصرح لهم فقط إن أمكن



4. الكشف:

   - مراقبة أخطاء HTTP 400/500 على نقطة نهاية /register

   - تنبيه على طلبات التسجيل برؤوس Content-Length >1000 بايت

   - تتبع أحداث إعادة تشغيل التطبيق المرتبطة بمحاولات التسجيل

   - قاعدة السجل: تنبيه إذا تجاوز إدخال حقل التسجيل 256 حرفاً

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.12.6.1 - Management of technical vulnerabilities A.12.2.1 - Change management procedures A.14.2.1 - Secure development policy

🔵 SAMA CSF

ID.RA-1 - Asset management and vulnerability identification PR.IP-12 - Software development security practices DE.CM-8 - Vulnerability scans and assessments

🟡 ISO 27001:2022

A.12.6.1 - Management of technical vulnerabilities A.14.2.1 - Secure development policy A.12.2.1 - Change management

🔗 References & Sources 4

🔗

https://www.digitalvolcano.co.uk/

disclosure@vulncheck.com

🔗

https://www.digitalvolcano.co.uk/taskcanvasdownload.html

disclosure@vulncheck.com

🔗

https://www.exploit-db.com/exploits/47911

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/taskcanvas-registration-denial-of-service

disclosure@vulncheck.com

📊 CVSS Score

7.5

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityN — None / Network

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.5

CWECWE-120

EPSS0.04%

Exploit No

Patch ✓ Yes

Published 2026-02-11

Source Feed nvd

🇸🇦 Saudi Risk Score

5.2

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

CWE-120

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2020-37189

💬 Comments

Introduce Yourself

Sign In Required