CVE-2025-59335

HIGH EPSS 8.9%
Published Sep 22, 20259mo ago · Modified Jun 17, 20262w ago
7.1 CVSS 3.1
High
Find Similar
Published Sep 22, 2025 9mo ago
Last Modified Jun 17, 2026 2w ago

Description

CubeCart is an ecommerce software solution. Prior to version 6.5.11, there is an absence of automatic session expiration following a user's password change. This oversight poses a security risk, as if a user forgets to log out from a location where they accessed their account, an unauthorized user can maintain access even after the password has been changed. Due to this bug, if an account has already been compromised, the legitimate user has no way to revoke the attacker’s access. The malicious actor retains full access to the account until their session naturally expires. This means the account remains insecure even after the password has been changed. This issue has been patched in version 6.5.11.

CVSS Details

Base Score
7.1
Exploitability
1.8
Impact
5.2
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
8.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-613

Affected Products 1

VendorProductVersionRange
cubecartcubecart* <6.5.11

References 3

  • github.com https://github.com/cubecart/v6/commit/4bfaeb4485dd82255a108940a163af5ba4583b52
    Patch
  • github.com https://github.com/cubecart/v6/commit/62d9be8416aa6fd7343f8932d98c5b112b163e26
    Patch
  • github.com https://github.com/cubecart/v6/security/advisories/GHSA-4vwh-x8m2-fmvv
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/cubecart/v6/commit/4bfaeb4485dd82255a108940a163af5ba4583b52
    Patch
  • github.com https://github.com/cubecart/v6/commit/62d9be8416aa6fd7343f8932d98c5b112b163e26
    Patch