VDB
CVE-2025-11699
CVE-2025-11699
PUBLISHED
CVSS 7.099999904632568 HIGH
nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.
EPSS 0.03% · 9.5th percentile
Risk Scores
CVSS 3.1
7.099999904632568
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
EPSS Score
0.03%
9.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| nopSolutions | nopCommerce | 4.80.3, 4.10 |
| nopcommerce | nopcommerce | 0, 4.80.3 |
Timeline
- Oct 13, 2025 CVE ID Reserved
- Dec 1, 2025 CVE Published
- Dec 1, 2025 PoC Published
- Dec 1, 2025 CVE Updated
- Dec 2, 2025 EPSS Score
- Dec 2, 2025 PoC Published
- Dec 6, 2025 EPSS Score
- Dec 11, 2025 EPSS Score
- Dec 15, 2025 EPSS Score
- Dec 20, 2025 EPSS Score
- Dec 24, 2025 EPSS Score
- Dec 29, 2025 EPSS Score
References
- https://seclists.org/fulldisclosure/2025/Aug/14 url
- https://github.com/nopSolutions/nopCommerce/issues/7044 url
- https://www.nopcommerce.com/en/release-notes?srsltid=AfmBOoravPKjN19pm_XZbXZ7GvPhkt8cxlK6794BJRZlY5RxJU_yNoTT url
- https://www.kb.cert.org/vuls/id/633103 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-11699 advisory