Overview
CVE-2025-11699 is a critical session hijacking vulnerability affecting nopCommerce, a popular open-source e-commerce platform. Specifically, versions 4.70 and prior, as well as version 4.80.3, fail to properly invalidate session cookies after a user logs out or their session terminates. This oversight allows an attacker in possession of a valid session cookie to gain unauthorized access to privileged endpoints, such as the administrative panel (/admin), even after the legitimate user has logged out. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.
Technical Details
The vulnerability stems from a lack of proper session management within nopCommerce. When a user logs out or their session expires, the server does not invalidate the associated session cookie stored in the user’s browser. An attacker who has previously intercepted or stolen this valid cookie (e.g., through cross-site scripting (XSS) or network sniffing) can then replay the cookie to the server and impersonate the legitimate user.
The server, upon receiving the stale but still valid cookie, incorrectly authenticates the attacker, granting them access to areas of the platform reserved for authenticated users. This includes sensitive administrative functions, potentially leading to complete compromise of the e-commerce store.
CVSS Analysis
Due to the provided information not containing CVSS Score or Severity, we are unable to perform a CVSS analysis. However, based on the description of the vulnerability it is recommended to consider it a high to critical severity issue as it allows complete account takeover by gaining access to privileged endpoints.
Possible Impact
The potential impact of CVE-2025-11699 is significant. A successful exploitation could lead to:
- Account Takeover: Attackers can gain complete control of administrator accounts.
- Data Breach: Sensitive customer data, including personal information and payment details, could be stolen.
- Website Defacement: Attackers could modify or deface the e-commerce store, damaging its reputation.
- Malware Distribution: The compromised store could be used to distribute malware to visitors.
- Financial Loss: The e-commerce business could suffer significant financial losses due to fraud, downtime, and reputational damage.
Mitigation and Patch Steps
To mitigate the risk posed by CVE-2025-11699, it is crucial to take the following steps:
- Upgrade nopCommerce: The most effective solution is to upgrade to a version of nopCommerce that addresses the vulnerability. Versions above 4.70 (excluding 4.80.3) contain the necessary fix.
- Implement Web Application Firewall (WAF): A WAF can help detect and block malicious requests, potentially mitigating exploitation attempts. Configure the WAF to look for suspicious activity and cookie manipulation.
- Review Session Management Settings: Ensure that session timeouts are appropriately configured and that the application invalidates sessions upon logout or inactivity.