CVE-2025-15618

Summary

Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key.

Business::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use.

This key is intended for encrypting credit card transaction data.

Affected Software

VendorProductVersion RangeStatus
MOCKBusiness::OnlinePayment::StoredTransaction0 <= 0.01affected

Weaknesses

  • CWE-338: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
  • CWE-693: CWE-693 Protection Mechanism Failure

Workarounds

Apply the patch that uses Crypt::URandom to generate a secret key.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References