nopCommerce <= 4.70 and 4.80.3 – Insufficient Session Cookie Invalidation (CVE-2025-11699)

Author: Beatriz Fresno Naumova (beafn28)

Date: 01/12/2025

Vendor: nopSolutions

Product: nopCommerce (ASP.NET Core eCommerce Platform)

Versions affected:

  • <= 4.70

  • 4.80.3

Component: Authentication / Session Management

CWE: CWE-613 – Insufficient Session Expiration

Attack type: Remote

Impact: Session Hijacking / Privilege Escalation

Description

nopCommerce is an open-source eCommerce platform built on ASP.NET Core and backed by Microsoft SQL Server. Versions up to 4.70 and version 4.80.3 fail to properly invalidate session cookies after user logout or session termination.

As a result, an attacker who obtains a valid session cookie can continue to access authenticated and privileged endpoints (such as /admin) even after the legitimate user has logged out. This behavior enables session hijacking attacks and mirrors previously observed vulnerabilities such as CVE-2019-7215.

Session cookies may be obtained through cross-site scripting (XSS), network interception, malware infection, or local compromise. Once captured, the cookie remains valid beyond logout, violating expected session lifecycle guarantees.

Impact

Primary impact: Session hijacking leading to unauthorized access.

Consequences:

  • Unauthorized access to administrative or user accounts

  • Financial fraud and data manipulation

  • Ransomware or cryptocurrency theft campaigns

  • Sale of valid session cookies on underground forums

Session hijacking attacks have been widely abused in real-world incidents and remain a high-impact threat, particularly for eCommerce platforms.

CVSS Details

  • Attack Vector (AV): Network (N)

  • Attack Complexity (AC): Low (L)

  • Privileges Required (PR): None (N)

  • User Interaction (UI): Required (R)

  • Scope (S): Unchanged (U)

  • Confidentiality (C): High (H)

  • Integrity (I): High (H)

  • Availability (A): None (N)

CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

CVSS v3.1 Base Score: 7.1 (High)

Note: An attacker must first obtain a valid session cookie (e.g., via XSS, network interception, or local compromise), but no additional privileges are required once the cookie is captured.

Solution

  • Upgrade immediately: Update to nopCommerce 4.90.3 or later.

  • Affected users:

    • Any version prior to 4.70

    • Version 4.80.3

  • Fixed versions:

    • Versions after 4.70, excluding 4.80.3

Mitigation

  • Invalidate and rotate session cookies on logout and session termination.

  • Implement server-side session invalidation tied to logout events.

  • Consider binding sessions to additional context (IP, User-Agent) where feasible.

  • Monitor for anomalous reuse of session identifiers.

  • Conduct periodic session management security reviews.

Discoverer

Beatriz Fresno Naumova (beafn28)

References

PreviousDirectus < 11.13.0 – Improper Permission Handling on Deleted Fields (CVE-2025-64746)

Last updated

Was this helpful?