216.73.217.22

CVE-2020-37168

· Published 13/05/2026 16:16 · Modified 13/05/2026 17:07

Labels: CVE-2020-37168 2026-05-13CVE-2020-37168CWE-328[email protected]

Essential information

Published
13/05/2026 16:16
Modified
13/05/2026 17:07
Author
Creator
CVSS
9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. Attackers can extract payment form data and signatures from POST requests to the payment endpoint, then use SHA1 hash comparison to iteratively test key candidates until discovering the correct production key, enabling them to forge valid payment signatures and manipulate transaction amounts.

NVD status

Status
Deferred — When a CVE is given this status the NVD does not plan analyze or re-analyze this CVE due to resource or other concerns.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
ecommerce / systempay cpe:2.3:a:ecommerce:systempay:*:*:*:*:*:*:*:*

References