{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15618", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2026-03-29T14:46:35.859Z", "datePublished": "2026-03-31T10:04:34.763Z", "dateUpdated": "2026-03-31T18:18:47.103Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "Business-OnlinePayment-StoredTransaction", "product": "Business::OnlinePayment::StoredTransaction", "programRoutines": [{"name": "Business::OnlinePayment::StoredTransaction::submit"}], "vendor": "MOCK", "versions": [{"lessThanOrEqual": "0.01", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key.\n\nBusiness::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use.\n\nThis key is intended for encrypting credit card transaction data."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-693", "description": "CWE-693 Protection Mechanism Failure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-03-31T10:04:34.763Z"}, "references": [{"url": "https://metacpan.org/dist/Business-OnlinePayment-StoredTransaction/source/lib/Business/OnlinePayment/StoredTransaction.pm#L64-75"}, {"url": "https://security.metacpan.org/patches/B/Business-OnlinePayment-StoredTransaction/0.01/CVE-2025-15618-r1.patch"}], "source": {"discovery": "UNKNOWN"}, "title": "Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key", "workarounds": [{"lang": "en", "value": "Apply the patch that uses Crypt::URandom to generate a secret key."}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T14:42:57.742486Z", "id": "CVE-2025-15618", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:43:15.408Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/31/7"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-31T18:18:47.103Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-15618", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T14:42:57.742486Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:42:19.803Z"}}], "cna": {"title": "Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "MOCK", "product": "Business::OnlinePayment::StoredTransaction", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "0.01"}], "packageName": "Business-OnlinePayment-StoredTransaction", "collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "programRoutines": [{"name": "Business::OnlinePayment::StoredTransaction::submit"}]}], "references": [{"url": "https://metacpan.org/dist/Business-OnlinePayment-StoredTransaction/source/lib/Business/OnlinePayment/StoredTransaction.pm#L64-75"}, {"url": "https://security.metacpan.org/patches/B/Business-OnlinePayment-StoredTransaction/0.01/CVE-2025-15618-r1.patch"}], "workarounds": [{"lang": "en", "value": "Apply the patch that uses Crypt::URandom to generate a secret key."}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}, "descriptions": [{"lang": "en", "value": "Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key.\n\nBusiness::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use.\n\nThis key is intended for encrypting credit card transaction data."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693 Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-03-31T10:04:34.763Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15618", "state": "PUBLISHED", "dateUpdated": "2026-03-31T14:43:15.408Z", "dateReserved": "2026-03-29T14:46:35.859Z", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "datePublished": "2026-03-31T10:04:34.763Z", "assignerShortName": "CPANSec"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key.\n\nBusiness::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use.\n\nThis key is intended for encrypting credit card transaction data."}, {"lang": "es", "value": "Las versiones de Business::OnlinePayment::StoredTransaction hasta la 0.01 para Perl utilizan una clave secreta insegura.\n\nBusiness::OnlinePayment::StoredTransaction genera una clave secreta utilizando un hash MD5 de una \u00fanica llamada a la funci\u00f3n rand incorporada, lo cual no es apto para uso criptogr\u00e1fico.\n\nEsta clave est\u00e1 destinada a cifrar datos de transacciones de tarjetas de cr\u00e9dito."}], "id": "CVE-2025-15618", "lastModified": "2026-04-01T14:24:02.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-31T11:16:11.950", "references": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://metacpan.org/dist/Business-OnlinePayment-StoredTransaction/source/lib/Business/OnlinePayment/StoredTransaction.pm#L64-75"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://security.metacpan.org/patches/B/Business-OnlinePayment-StoredTransaction/0.01/CVE-2025-15618-r1.patch"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/03/31/7"}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-338"}, {"lang": "en", "value": "CWE-693"}], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.01]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Business::OnlinePayment::StoredTransaction", "source": "cna", "vendor": "MOCK"}, "product": "business::onlinepayment::storedtransaction", "vendor": "mock"}], "analysis": {"en": {"generated_at": "2026-03-31T16:24:28.893113+00:00", "value": {"mitigation_remediation": ["Apply the patch that uses Crypt::URandom to generate a secret key.", "Verify that the business application has been updated to the patched version of Business::OnlinePayment::StoredTransaction.", "Audit any stored credit card data to ensure it has been reencrypted with a secure key after the patch.", "If the patch cannot be applied immediately, consider disabling encryption for stored transactions or moving sensitive data to a separate, properly protected storage component."], "summary": {"action": "Immediate Patch", "impact": "Confidentiality compromise of credit card data"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Perl module Business::OnlinePayment::StoredTransaction, specifically all releases up through version 0.01. Users of this module in any environment that stores encrypted transaction data are concerned.", "description_and_impact": "Business::OnlinePayment::StoredTransaction uses a single call to the built\u2011in rand function, hashes the result with MD5, and treats that as an encryption key. Because rand is a low\u2011entropy pseudorandom generator and MD5 is not cryptographically secure, the secret key is predictable and vulnerable to brute force or collision attacks. As a result, credit card transaction data that relies on this key for encryption can be decrypted or altered by an attacker, compromising both confidentiality and integrity of payment information. The weakness is aligned with CWE\u2011338 and CWE\u2011693.", "risk_and_exploitability": "The CVSS score of 9.1 indicates a high\u2011severity flaw. The EPSS score of fewer than 1% suggests that, while discovery is unlikely, the impact remains substantial. The vulnerability is not listed in the CISA KEV catalog, yet an attacker who can execute or incorporate the module\u2014whether by running the application, injecting malicious code, or accessing stored data\u2014can potentially reconstruct the weak key and decrypt payment records. The most likely attack vector is local or remote code execution within a web or payment application that imports this module, as inferred from the nature of the crate.\n"}}}}, "created": "2026-03-31T19:55:53.013176+00:00", "updated": "2026-03-31T20:39:15.683278+00:00", "vendors": ["mock", "mock$PRODUCT$business::onlinepayment::storedtransaction"]}