CVE-2025-15618

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-15618
Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key. Business::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use. This key is intended for encrypting credit card transaction data.

9.1 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://metacpan.org/dist/Business-OnlinePayment-StoredTransaction/source/lib/Business/OnlinePayment/StoredTransaction.pm#L64-75
https://security.metacpan.org/patches/B/Business-OnlinePayment-StoredTransaction/0.01/CVE-2025-15618-r1.patch
http://www.openwall.com/lists/oss-security/2026/03/31/7
Configurations

No configuration.

History

01 Apr 2026, 14:24

Type Values Removed Values Added
Summary
  • (es) Las versiones de Business::OnlinePayment::StoredTransaction hasta la 0.01 para Perl utilizan una clave secreta insegura. Business::OnlinePayment::StoredTransaction genera una clave secreta utilizando un hash MD5 de una única llamada a la función rand incorporada, lo cual no es apto para uso criptográfico. Esta clave está destinada a cifrar datos de transacciones de tarjetas de crédito.

31 Mar 2026, 19:16

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2026/03/31/7 -

31 Mar 2026, 15:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.1

31 Mar 2026, 11:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-31 11:16

Updated : 2026-04-01 14:24

NVD link : CVE-2025-15618

Mitre link : CVE-2025-15618

CVE.ORG link : CVE-2025-15618

JSON object : View

Products Affected

No product.

CWE
CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CWE-693

Protection Mechanism Failure