CVE-2025-15618
9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key.
Business::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use.
This key is intended for encrypting credit card transaction data.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| MOCK | Business::OnlinePayment::StoredTransaction | 0 <= 0.01 | affected |
Weaknesses
- CWE-338: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
- CWE-693: CWE-693 Protection Mechanism Failure
Workarounds
Apply the patch that uses Crypt::URandom to generate a secret key.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
CVE Program Container
Additional References
References
- https://metacpan.org/dist/Business-OnlinePayment-StoredTransaction/source/lib/Business/OnlinePayment/StoredTransaction.pm#L64-75
- https://security.metacpan.org/patches/B/Business-OnlinePayment-StoredTransaction/0.01/CVE-2025-15618-r1.patch
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.