CVE-2020-37168 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: May 13, 2026
Ecommerce Systempay - Weak Cryptography
Published: May 13, 2026Updated: May 13, 2026Remote Exploitable
Overview
Ecommerce Systempay 1.0 contains a weak cryptographic implementation caused by the use of SHA1 for payment signature generation, letting attackers brute force the production secret key to forge valid payment signatures, exploit requires access to payment POST requests.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Attackers can forge valid payment signatures and manipulate transaction amounts, leading to financial fraud and unauthorized transactions.
Mitigation
Update to a version that uses strong cryptographic algorithms for payment signature generation or apply patches to replace SHA1 with a secure hash function.
References
Related Resources
Details
- CVE ID
- CVE-2020-37168
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- weak_cryptography
- Status
- rejected
CWE
- CWE-328
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H