CVE-2020-37168

May 13, 2026, 5:07 p.m.

9.3
Critical

Description

Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. Attackers can extract payment form data and signatures from POST requests to the payment endpoint, then use SHA1 hash comparison to iteratively test key candidates until discovering the correct production key, enabling them to forge valid payment signatures and manipulate transaction amounts.

Product(s) Impacted

Vendor Product Versions
Ecommerce
  • Systempay
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-328
Use of Weak Hash
The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a ecommerce systempay / / / / / / / /

References

https://paiement.systempay.fr/doc/fr-FR/
https://paiement.systempay.fr/doc/fr-FR/module-de-paiement-gratuit/
https://www.exploit-db.com/exploits/48017
https://www.vulncheck.com/advisories/ecommerce-systempay-production-key-brute-force

Tags

[email protected]
CWE-328
2026-05-13
CVE-2020-37168

CVSS Score

9.3 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: May 13, 2026, 4:16 p.m.
Last Modified: May 13, 2026, 5:07 p.m.

Status : Deferred

When a CVE is given this status the NVD does not plan analyze or re-analyze this CVE due to resource or other concerns.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.