CVE-2025-11699

High CVSS: 7.1

nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a
a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.

Vendor

Nopcommerce

Product

Nopcommerce

CWE

CWE-613

Yayın Tarihi

2025-12-01 16:15:51

Güncelleme

2025-12-19 17:02:39

Source Identifier

cret@cert.org

KEV Date Added

Kategoriler

CWE-613 Nopcommerce HIGH Nopcommerce 2025

Referanslar

https://github.com/nopSolutions/nopCommerce/issues/7044 https://seclists.org/fulldisclosure/2025/Aug/14 https://www.nopcommerce.com/en/release-notes?srsltid=AfmBOoravPKjN19pm_XZbXZ7GvPhkt8cxlK6794BJRZlY5RxJU_yNoTT https://www.kb.cert.org/vuls/id/633103

Benzer Kayıtlar

High

CVE-2025-65593

nopCommerce 4.90.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Schedule Tasks functionality.

Medium

CVE-2025-65590

nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Managemen…

Medium

CVE-2025-65591

nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Currencies functionality.

Medium

CVE-2025-65592

nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality. Malicious payloa…

Medium

CVE-2025-65589

nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Attributes functionality.

Medium

CVE-2021-42193

nopCommerce 4.40.3 is vulnerable to XSS in the Product Name at /Admin/Product/Edit/[id]. Each time a user views the prod…