Описание
nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.
Ссылки
- Issue Tracking
- Mailing ListThird Party Advisory
- Release Notes
- Third Party AdvisoryPatch
Уязвимые конфигурации
Одно из
EPSS
7.1 High
CVSS3
Дефекты
Связанные уязвимости
nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.
EPSS
7.1 High
CVSS3