CVE-2025-59335
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-22

Last updated on: 2025-09-23

Assigner: GitHub, Inc.

Description
CubeCart is an ecommerce software solution. Prior to version 6.5.11, there is an absence of automatic session expiration following a user's password change. This oversight poses a security risk, as if a user forgets to log out from a location where they accessed their account, an unauthorized user can maintain access even after the password has been changed. Due to this bug, if an account has already been compromised, the legitimate user has no way to revoke the attacker’s access. The malicious actor retains full access to the account until their session naturally expires. This means the account remains insecure even after the password has been changed. This issue has been patched in version 6.5.11.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-22
Last Modified
2025-09-23
Generated
2026-06-16
AI Q&A
2025-09-22
EPSS Evaluated
2026-06-14
NVD
CVE-2025-59335
EUVD
EUVD-2025-30837
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cubecart cubecart to 6.5.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in CubeCart versions prior to 6.5.11 occurs because user sessions are not automatically invalidated after a password change. This means if an attacker has already gained access to a user's account and the user changes their password, the attacker can still maintain access through the existing session without needing to re-authenticate. The legitimate user cannot revoke this unauthorized access by simply changing their password, leaving the account insecure until the session naturally expires. [1]

Impact Analysis

The vulnerability allows an attacker who has compromised an account to maintain unauthorized access even after the legitimate user changes their password. This means the attacker can continue to perform actions on the account without interruption, potentially leading to data theft, unauthorized transactions, or other malicious activities. The legitimate user has no immediate way to revoke the attacker's access, increasing the risk of prolonged account compromise. [1]

Detection Guidance

This vulnerability can be detected by checking if user sessions remain active after a password change. One practical method is to log into the same account on two different browsers or devices, change the password on one, and verify if the other session remains active without requiring re-authentication. There are no specific network or system commands provided to detect this vulnerability automatically. [1]

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade CubeCart to version 6.5.11 or later, where the issue is patched. The patch enforces automatic logout of users upon password changes, invalidating existing sessions. If upgrading is not immediately possible, manually logging out all sessions after a password change can help reduce risk. Additionally, inform users to log out from all devices after changing their password until the patch is applied. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59335. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart