CVE-2025-63563 – This vulnerability allows attackers with stolen... (How to Fix)

Q: What is the severity of CVE-2025-63563?

CVE-2025-63563 has a CVSS score of 6.5 (MEDIUM). This vulnerability allows attackers with stolen session tokens to maintain access to user accounts even after legitimate users change their passwords. It affects all users of Summer Pearl Group Vacation Rental Management Platform versions before 1.0.2. The flaw enables session hijacking and unauthorized account access.

📋 TL;DR

This vulnerability allows attackers with stolen session tokens to maintain access to user accounts even after legitimate users change their passwords. It affects all users of Summer Pearl Group Vacation Rental Management Platform versions before 1.0.2. The flaw enables session hijacking and unauthorized account access.

💻 Affected Systems

Products:

Summer Pearl Group Vacation Rental Management Platform

Versions: All versions prior to 1.0.2

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments using vulnerable versions regardless of configuration.

📦 What is this software?

Vacation Rental Management Platform by Summerpearlgroup

View all CVEs affecting Vacation Rental Management Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers maintain persistent access to compromised accounts, potentially accessing sensitive guest data, financial information, and administrative controls for vacation rental management.

🟠

Likely Case

Stolen sessions remain valid after password changes, allowing unauthorized access to user accounts and potentially exposing personal information and booking details.

🟢

If Mitigated

With proper session invalidation, attackers lose access immediately after password changes, limiting exposure to the window between session theft and password change.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires session token acquisition through other means (phishing, XSS, MITM).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.2

Vendor Advisory: https://github.com/Stolichnayer/Summer-Pearl-Group-Insufficient-Session-Expiration

Restart Required: No

Instructions:

1. Backup current installation. 2. Download version 1.0.2 from official source. 3. Replace vulnerable files with patched version. 4. Verify session invalidation works on password change.

🔧 Temporary Workarounds

Manual Session Invalidation

all

Implement custom session cleanup on password change events

Implement session termination logic in password change handler

🧯 If You Can't Patch

Force all users to log out and create new sessions after password changes
Implement additional authentication factors for sensitive operations

🔍 How to Verify

Check if Vulnerable:

1. Log into application. 2. Note session token. 3. Change password. 4. Attempt to use old session token - if it still works, system is vulnerable.

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Repeat vulnerable check - old session tokens should be invalidated immediately after password change.

📡 Detection & Monitoring

Log Indicators:

Multiple active sessions for same user after password change
Session reuse after password reset events

Network Indicators:

Session tokens being used after password change timestamps

SIEM Query:

source="app_logs" AND (event="password_change" OR event="session_reuse") | stats count by user_id, session_id

📊 Metadata

CVE ID: CVE-2025-63563

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CWE: CWE-286

EPSS Score: 0.06% exploit probability (17.6th percentile)

Published: October 31, 2025

Last Updated: November 5, 2025

🔗 References

https://github.com/Stolichnayer/Summer-Pearl-Group-Insufficient-Session-Expiration Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63563, you might also want to check these: