CVE-2025-59335
HIGHCubeCart < 6.5.11 - Insufficient Session Expiration after Password Change
Title source: llmDescription
CubeCart is an ecommerce software solution. Prior to version 6.5.11, there is an absence of automatic session expiration following a user's password change. This oversight poses a security risk, as if a user forgets to log out from a location where they accessed their account, an unauthorized user can maintain access even after the password has been changed. Due to this bug, if an account has already been compromised, the legitimate user has no way to revoke the attacker’s access. The malicious actor retains full access to the account until their session naturally expires. This means the account remains insecure even after the password has been changed. This issue has been patched in version 6.5.11.
References (3)
Core 3
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/cubecart/v6/security/advisories/GHSA-4vwh-x8m2-fmvv
Patch x_refsource_misc
https://github.com/cubecart/v6/commit/4bfaeb4485dd82255a108940a163af5ba4583b52
Patch x_refsource_misc
https://github.com/cubecart/v6/commit/62d9be8416aa6fd7343f8932d98c5b112b163e26
Scores
CVSS v3
7.1
EPSS
0.0019
EPSS Percentile
8.3%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-613
Status
published
Products (1)
cubecart/cubecart
< 6.5.11
Published
Sep 22, 2025
Tracked Since
Feb 18, 2026