Description
Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key.

Business::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use.

This key is intended for encrypting credit card transaction data.
Published: 2026-03-31
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Weak cryptographic key used to encrypt credit card transaction data.
Action: Immediate Patch
AI Analysis

Impact

Business::OnlinePayment::StoredTransaction creates a secret key by hashing a single value from Perl’s built‑in rand function with MD5. This practice produces a deterministic, low‑entropy key that is unsuitable for protecting sensitive data. Attackers who can obtain the key can decrypt stored credit card information, compromising customer and potentially enabling financial fraud and regulatory violations.

Affected Systems

The issue affects the Perl module Business::OnlinePayment::StoredTransaction version 0.01. The module is distributed by the vendor MOCK under the identifier Business::OnlinePayment::StoredTransaction and is used for encrypting transaction histories in online payment systems.

Risk and Exploitability

The CVSS score of 9.1 reflects a severe risk to data confidentiality. The EPSS score is below 1%, indicating low likelihood of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. An attacker would need to interact with the application—either by supplying crafted input or by executing code within the process—to retrieve or calculate the weak key, then use that key to decrypt saved card data. The attack vector is inferred to be application‑level, requiring user interaction or code execution within the affected environment.

Generated by OpenCVE AI on April 13, 2026 at 14:43 UTC.

Remediation

Vendor Workaround

Apply the patch that uses Crypt::URandom to generate a secret key.

OpenCVE Recommended Actions

  • Apply the patch that uses Crypt::URandom to generate a secret key.
  • Verify that the module no longer uses the insecure rand function to create keys.
  • Confirm that encryption and decryption of transaction data now use the updated key generation method.

Generated by OpenCVE AI on April 13, 2026 at 14:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Mock business\
CPEs cpe:2.3:a:mock:business\:\:onlinepayment\:\:storedtransaction:0.01:*:*:*:*:perl:*:*
Vendors & Products Mock business\

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Mock
Mock business::onlinepayment::storedtransaction
Vendors & Products Mock
Mock business::onlinepayment::storedtransaction
References

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key. Business::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use. This key is intended for encrypting credit card transaction data.
Title Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key
Weaknesses CWE-338
CWE-693
References

Subscriptions

Mock Business::onlinepayment::storedtransaction Business\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-03-31T18:18:47.103Z

Reserved: 2026-03-29T14:46:35.859Z

Link: CVE-2025-15618

cve-icon Vulnrichment

Updated: 2026-03-31T14:42:19.803Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T11:16:11.950

Modified: 2026-04-13T13:20:21.790

Link: CVE-2025-15618

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:27Z

Weaknesses