216.73.216.133

CVE-2025-11699

· Published 01/12/2025 16:15 · Modified 19/12/2025 17:02

Labels: CVE-2025-11699 2025-12-01CVE-2025-11699CWE-613[email protected]

Essential information

Published
01/12/2025 16:15
Modified
19/12/2025 17:02
Author
Creator
CVSS
7.1 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

CVSS metrics

Description

nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.

NVD status

Status
Analyzed — CVE has had analysis completed and all data associations made.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
nopcommerce / nopcommerce cpe:2.3:a:nopcommerce:nopcommerce:*:*:*:*:*:*:*:*
nopcommerce / nopcommerce cpe:2.3:a:nopcommerce:nopcommerce:4.80.3:*:*:*:*:*:*:*

References