CVE-2025-11699
7.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Summary
nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| nopSolutions | nopCommerce | 4.80.3 <= 4.80.4 | affected |
| nopSolutions | nopCommerce | 4.10 < 4.70 | affected |
Weaknesses
- CWE-613 Insufficient Session Expiration
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://seclists.org/fulldisclosure/2025/Aug/14
- https://github.com/nopSolutions/nopCommerce/issues/7044
- https://www.nopcommerce.com/en/release-notes?srsltid=AfmBOoravPKjN19pm_XZbXZ7GvPhkt8cxlK6794BJRZlY5RxJU_yNoTT
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.