Nopcommerce: >> Nopcommerce >> 4.10 Security Vulnerabilities
nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a
a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.
CVSS Score
7.1
EPSS Score
0.0
Published
2025-12-01
nopCommerce through 4.90.1 does not offer locking for order placement. Thus there is a race condition with duplicate redeeming of gift cards.
CVSS Score
3.5
EPSS Score
0.0
Published
2025-04-16
Multiple open redirect vulnerabilities in NopCommerce 4.10 through 4.50.1 allow remote attackers to conduct phishing attacks by redirecting users to attacker-controlled web sites via the returnUrl parameter, processed by the (1) ChangePassword function, (2) SignInCustomerAsync function, (3) SuccessfulAuthentication method, or (4) NopRedirectResultExecutor class.
CVSS Score
6.1
EPSS Score
0.003
Published
2022-10-20
An access control issue in nopcommerce v4.50.2 allows attackers to arbitrarily modify any customer's address via the addressedit endpoint.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-10-19
In nopCommerce 4.50.1, an open redirect vulnerability can be triggered by luring a user to authenticate to a nopCommerce page by clicking on a crafted link.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-05-04
Libraries/Nop.Services/Localization/LocalizationService.cs in nopCommerce through 4.10 allows XXE via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen.
CVSS Score
4.9
EPSS Score
0.003
Published
2019-04-25