Vulnerability Title: Insufficient Session Cookie Invalidation in nopCommerce v4.10 and 4.80.3 Source: Full Disclosure mailing list archives Author: Ron E Date: Sun, 17 Aug 2025 22:48:22 -0400 Vulnerability Description: - nopCommerce versions v4.10 and 4.80.3 are vulnerable to insufficient session cookie invalidation. - The application fails to properly invalidate or expire authentication cookies after logout or session termination. - This allows attackers who obtain a valid session cookie (e.g., via network interception, XSS, or system compromise) to continue using the cookie to access privileged endpoints even after the legitimate user has logged out. - The vulnerability enables session hijacking and privilege escalation. Example HTTP Request: