CVE-2025-11699 | THREATINT

Description

nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.

PUBLISHED Reserved 2025-10-13 | Published 2025-12-01 | Updated 2025-12-01 | Assigner certcc

Problem types

CWE-613 Insufficient Session Expiration

Product status

4.80.3 (custom)

affected

4.10 (custom) before 4.70

affected

References

www.kb.cert.org/vuls/id/633103

seclists.org/fulldisclosure/2025/Aug/14

github.com/nopSolutions/nopCommerce/issues/7044

www.nopcommerce.com/...ZbXZ7GvPhkt8cxlK6794BJRZlY5RxJU_yNoTT

cve.org (CVE-2025-11699)

nvd.nist.gov (CVE-2025-11699)

Download JSON