CVE-2025-11699

HIGH EPSS 32.3%
Published Dec 1, 20257mo ago · Modified Jun 17, 20261w ago
7.1 CVSS 3.1
High
Find Similar
Published Dec 1, 2025 7mo ago
Last Modified Jun 17, 2026 1w ago

Description

nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.

CVSS Details

Base Score
7.1
Exploitability
2.8
Impact
4.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality Low
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
32.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-613

Affected Products 2

VendorProductVersionRange
nopcommercenopcommerce* <4.70.0
nopcommercenopcommerce4.80.3any

References 4

  • github.com https://github.com/nopSolutions/nopCommerce/issues/7044
    Issue Tracking
  • seclists.org https://seclists.org/fulldisclosure/2025/Aug/14
    Mailing ListThird Party Advisory
  • kb.cert.org https://www.kb.cert.org/vuls/id/633103
    PatchThird Party Advisory
  • nopcommerce.com https://www.nopcommerce.com/en/release-notes?srsltid=AfmBOoravPKjN19pm_XZbXZ7GvPhkt8cxlK6794BJRZlY5RxJU_yNoTT
    Release Notes

Remediation

  • kb.cert.org https://www.kb.cert.org/vuls/id/633103
    PatchThird Party Advisory