Vulnerability Description
nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nopcommerce | Nopcommerce | < 4.70.0 |
Related Weaknesses (CWE)
References
- https://github.com/nopSolutions/nopCommerce/issues/7044Issue Tracking
- https://seclists.org/fulldisclosure/2025/Aug/14Mailing ListThird Party Advisory
- https://www.nopcommerce.com/en/release-notes?srsltid=AfmBOoravPKjN19pm_XZbXZ7GvPRelease Notes
- https://www.kb.cert.org/vuls/id/633103Third Party AdvisoryPatch
FAQ
What is CVE-2025-11699?
CVE-2025-11699 is a vulnerability with a CVSS score of 7.1 (HIGH). nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged e...
How severe is CVE-2025-11699?
CVE-2025-11699 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-11699?
Check the references section above for vendor advisories and patch information. Affected products include: Nopcommerce Nopcommerce.