nopCommerce Session Hijacking Vulnerability Due to Insufficient Cookie Invalidation

A vulnerability exists in nopCommerce versions 4.70 and prior, as well as 4.80.3, where session cookies are not properly invalidated after logout or session termination. This flaw allows an attacker with a valid session cookie to access privileged endpoints, such as the admin panel, even after the user has logged out, facilitating session hijacking. The issue can arise from network interception, cross-site scripting (XSS), or a local compromise that exposes the session cookie.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can impersonate a logged-in user and access sensitive areas of the application, such as the admin panel. This could lead to unauthorized changes or access to confidential information.

Reproduction

To reproduce this vulnerability, log into a nopCommerce store using a valid account. After logging in, capture the '.Nop.Authentication' cookie. Once the cookie is obtained, log out of the account. Despite logging out, the session cookie remains valid and can be used to access restricted areas like the admin panel, thereby hijacking the session.

Remediation

Users should update to nopCommerce version 4.90.3, as this version addresses the vulnerability. Instructions for downloading the latest version are available on the nopCommerce website.