Unknown · Nopcommerce · CVE-2025-11699
**Name of the Vulnerable Software and Affected Versions**
nopCommerce versions prior to 4.80.3
**Description**
The software does not invalidate session cookies after logout or session termination. This allows an attacker with a valid session cookie to access privileged endpoints, such as '/admin', even after the legitimate user has logged out, potentially enabling session hijacking. Approximately 40.8k instances are exposed. The issue allows attackers to reuse expired session cookies due to a logout flaw, potentially leading to account hijacking, including administrative access.
**Recommendations**
Versions prior to 4.80.3 should be updated to version 4.80.3 or later.