Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
CVE-2020-37168: Ecommerce Systempay 1.0 payment key can be guessed
CVE-2020-37168
Summary
A weak key in Ecommerce Systempay 1.0 makes it easy for hackers to guess a secret key used to verify payments. This allows them to fake payment signatures and change transaction amounts. You should update to a newer version of Ecommerce Systempay that fixes this weakness.
Original title
Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation....
Original description
Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. Attackers can extract payment form data and signatures from POST requests to the payment endpoint, then use SHA1 hash comparison to iteratively test key candidates until discovering the correct production key, enabling them to forge valid payment signatures and manipulate transaction amounts.
nvd CVSS3.1
9.8
nvd CVSS4.0
9.3
Vulnerability type
CWE-328
Published: 13 May 2026 · Updated: 28 May 2026 · First seen: 13 May 2026