CVE-2025-63563 identifies a security vulnerability in the Summer Pearl Group Vacation Rental Management Platform prior to version 1.0.2. The core issue is the platform's failure to invalidate active user sessions when a user changes their password. Normally, password changes should terminate all existing sessions to prevent unauthorized access if session tokens have been compromised. However, in this case, an attacker who has obtained a valid session token before the password change can continue to access the victim's account without interruption. This vulnerability is classified under CWE-286 (Improper Authorization), indicating a failure in enforcing proper access controls. The CVSS 3.1 base score is 6.5, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L, meaning the attack can be performed remotely over the network without any privileges or user interaction, resulting in limited confidentiality impact and low availability impact. Although no public exploits are currently known, the vulnerability could be leveraged by attackers who have previously gained session tokens through other means such as session hijacking or credential theft. The lack of session invalidation undermines the security benefits of password changes, potentially allowing persistent unauthorized access. This flaw is particularly concerning for organizations handling sensitive user data or financial transactions within the vacation rental domain. The absence of patch links suggests that users must verify updates directly from the vendor. Organizations should prioritize upgrading to version 1.0.2 or later, which presumably addresses this issue by enforcing session invalidation upon password changes.

For European organizations using the Summer Pearl Group Vacation Rental Management Platform, this vulnerability could lead to unauthorized persistent access to user accounts even after password changes. This undermines user trust and can result in data exposure, unauthorized booking modifications, or fraudulent transactions. The confidentiality of user information is partially compromised since attackers can maintain access without re-authenticating. The availability impact is low but could include disruption of legitimate user activities if attackers manipulate sessions. Given the platform's role in managing vacation rentals, attackers might exploit this to commit fraud, disrupt bookings, or harvest personal data, impacting business reputation and compliance with data protection regulations such as GDPR. The medium severity rating reflects these risks, emphasizing the need for timely remediation to prevent exploitation. Although no active exploits are reported, the ease of exploitation (no privileges or user interaction required) increases the risk if session tokens are compromised through other attack vectors.

1. Immediately upgrade the Summer Pearl Group Vacation Rental Management Platform to version 1.0.2 or later, where session invalidation upon password change is implemented. 2. Implement additional security controls such as multi-factor authentication (MFA) to reduce the risk of session token compromise. 3. Monitor active sessions and provide users with the ability to view and revoke active sessions manually. 4. Enforce short session lifetimes and require re-authentication for sensitive operations. 5. Conduct regular security audits and penetration testing focused on session management controls. 6. Educate users on the importance of logging out from shared or public devices and recognizing suspicious account activity. 7. If upgrading immediately is not possible, consider implementing compensating controls such as forced logout mechanisms via custom scripts or firewall rules to invalidate sessions after password changes. 8. Ensure logging and alerting mechanisms are in place to detect unusual session activity or multiple concurrent sessions from different locations.