VU#633103: Insufficient Session Cookie Invalidation in nopCommerce ASP.NET Core eCommerce Platform

nopCommerce, a popular e-commerce platform, suffers from a critical vulnerability related to session cookies. The platform fails to invalidate session cookies upon user logout or session termination. This lack of invalidation allows attackers to hijack user sessions using stolen cookies, similar to CVE-2019-7215. Attackers can obtain these session cookies through various means, like XSS or network interception. The compromised cookie grants access to privileged areas, such as the admin panel. This vulnerability affects nopCommerce versions 4.70 and prior and version 4.80.3. Session hijacking is a well-known attack vector, often used in financial fraud and ransomware campaigns. Attackers use stolen session cookies for various malicious activities, including selling them on the dark web. The impact of successful exploitation includes potential financial loss and ransomware attacks. The fix involves updating to version 4.90.3, or any version of nopCommerce above 4.70 except for version 4.80.3. Users are strongly urged to update their nopCommerce installations to mitigate this risk.