{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15618", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2026-03-29T14:46:35.859Z", "datePublished": "2026-03-31T10:04:34.763Z", "dateUpdated": "2026-03-31T18:18:47.103Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "Business-OnlinePayment-StoredTransaction", "product": "Business::OnlinePayment::StoredTransaction", "programRoutines": [{"name": "Business::OnlinePayment::StoredTransaction::submit"}], "vendor": "MOCK", "versions": [{"lessThanOrEqual": "0.01", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key.\n\nBusiness::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use.\n\nThis key is intended for encrypting credit card transaction data."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-693", "description": "CWE-693 Protection Mechanism Failure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-03-31T10:04:34.763Z"}, "references": [{"url": "https://metacpan.org/dist/Business-OnlinePayment-StoredTransaction/source/lib/Business/OnlinePayment/StoredTransaction.pm#L64-75"}, {"url": "https://security.metacpan.org/patches/B/Business-OnlinePayment-StoredTransaction/0.01/CVE-2025-15618-r1.patch"}], "source": {"discovery": "UNKNOWN"}, "title": "Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key", "workarounds": [{"lang": "en", "value": "Apply the patch that uses Crypt::URandom to generate a secret key."}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T14:42:57.742486Z", "id": "CVE-2025-15618", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:43:15.408Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/31/7"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-31T18:18:47.103Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-15618", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T14:42:57.742486Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:42:19.803Z"}}], "cna": {"title": "Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "MOCK", "product": "Business::OnlinePayment::StoredTransaction", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "0.01"}], "packageName": "Business-OnlinePayment-StoredTransaction", "collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "programRoutines": [{"name": "Business::OnlinePayment::StoredTransaction::submit"}]}], "references": [{"url": "https://metacpan.org/dist/Business-OnlinePayment-StoredTransaction/source/lib/Business/OnlinePayment/StoredTransaction.pm#L64-75"}, {"url": "https://security.metacpan.org/patches/B/Business-OnlinePayment-StoredTransaction/0.01/CVE-2025-15618-r1.patch"}], "workarounds": [{"lang": "en", "value": "Apply the patch that uses Crypt::URandom to generate a secret key."}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}, "descriptions": [{"lang": "en", "value": "Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key.\n\nBusiness::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use.\n\nThis key is intended for encrypting credit card transaction data."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693 Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-03-31T10:04:34.763Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15618", "state": "PUBLISHED", "dateUpdated": "2026-03-31T14:43:15.408Z", "dateReserved": "2026-03-29T14:46:35.859Z", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "datePublished": "2026-03-31T10:04:34.763Z", "assignerShortName": "CPANSec"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mock:business\\:\\:onlinepayment\\:\\:storedtransaction:0.01:*:*:*:*:perl:*:*", "matchCriteriaId": "802AEA8D-5107-4BA0-997B-788A65BD0683", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key.\n\nBusiness::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use.\n\nThis key is intended for encrypting credit card transaction data."}, {"lang": "es", "value": "Las versiones de Business::OnlinePayment::StoredTransaction hasta la 0.01 para Perl utilizan una clave secreta insegura.\n\nBusiness::OnlinePayment::StoredTransaction genera una clave secreta utilizando un hash MD5 de una \u00fanica llamada a la funci\u00f3n rand incorporada, lo cual no es apto para uso criptogr\u00e1fico.\n\nEsta clave est\u00e1 destinada a cifrar datos de transacciones de tarjetas de cr\u00e9dito."}], "id": "CVE-2025-15618", "lastModified": "2026-04-13T13:20:21.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-31T11:16:11.950", "references": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Product"], "url": "https://metacpan.org/dist/Business-OnlinePayment-StoredTransaction/source/lib/Business/OnlinePayment/StoredTransaction.pm#L64-75"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Patch"], "url": "https://security.metacpan.org/patches/B/Business-OnlinePayment-StoredTransaction/0.01/CVE-2025-15618-r1.patch"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/03/31/7"}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-338"}, {"lang": "en", "value": "CWE-693"}], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.01]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Business::OnlinePayment::StoredTransaction", "source": "cna", "vendor": "MOCK"}, "product": "business::onlinepayment::storedtransaction", "vendor": "mock"}], "analysis": {"en": {"generated_at": "2026-04-13T14:43:36.081232+00:00", "value": {"mitigation_remediation": ["Apply the patch that uses Crypt::URandom to generate a secret key.", "Verify that the module no longer uses the insecure rand function to create keys.", "Confirm that encryption and decryption of transaction data now use the updated key generation method."], "summary": {"action": "Immediate Patch", "impact": "Weak cryptographic key used to encrypt credit card transaction data."}, "threat_synthesis": {"affected_systems": "The issue affects the Perl module Business::OnlinePayment::StoredTransaction version 0.01. The module is distributed by the vendor MOCK under the identifier Business::OnlinePayment::StoredTransaction and is used for encrypting transaction histories in online payment systems.", "description_and_impact": "Business::OnlinePayment::StoredTransaction creates a secret key by hashing a single value from Perl\u2019s built\u2011in rand function with MD5. This practice produces a deterministic, low\u2011entropy key that is unsuitable for protecting sensitive data. Attackers who can obtain the key can decrypt stored credit card information, compromising customer and potentially enabling financial fraud and regulatory violations.", "risk_and_exploitability": "The CVSS score of 9.1 reflects a severe risk to data confidentiality. The EPSS score is below 1%, indicating low likelihood of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. An attacker would need to interact with the application\u2014either by supplying crafted input or by executing code within the process\u2014to retrieve or calculate the weak key, then use that key to decrypt saved card data. The attack vector is inferred to be application\u2011level, requiring user interaction or code execution within the affected environment."}}}}, "created": "2026-03-31T19:55:53.013176+00:00", "updated": "2026-04-14T16:42:27.376473+00:00", "vendors": ["mock", "mock$PRODUCT$business::onlinepayment::storedtransaction"]}