CVE-2025-63563 is a session management vulnerability identified in the Summer Pearl Group Vacation Rental Management Platform versions prior to 1.0.2. The platform fails to invalidate active user sessions when a password change occurs. Normally, changing a password should revoke all active sessions to prevent unauthorized access by previously authenticated sessions. However, due to this flaw, an attacker who has already acquired a valid session token can continue to access the victim's account even after the password is changed. This undermines the security benefit of password changes, which are typically used to recover from account compromise or to enhance security. The vulnerability does not require the attacker to re-authenticate or obtain new credentials once they have a valid session token, making exploitation straightforward if session tokens are compromised through other means such as session hijacking or theft. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned. The vulnerability impacts confidentiality and integrity by allowing persistent unauthorized access to user accounts, potentially exposing sensitive personal and financial data managed within the platform. The platform is used for managing vacation rental properties, which often involves sensitive customer information and payment details. The lack of session invalidation after password changes represents a significant security risk, especially in environments where session tokens might be exposed or stolen. The issue can be mitigated by upgrading to version 1.0.2 or later, where this flaw has been addressed, and by implementing additional security controls such as multi-factor authentication and monitoring for unusual session activity.

For European organizations using the Summer Pearl Group Vacation Rental Management Platform, this vulnerability poses a significant risk to the confidentiality and integrity of user accounts and associated data. Attackers who gain access to session tokens can maintain persistent access even after password changes, potentially leading to unauthorized data access, fraudulent transactions, or manipulation of rental listings and bookings. This can result in financial losses, reputational damage, and regulatory non-compliance, especially under GDPR, which mandates strict protection of personal data. The tourism and hospitality sectors in Europe, which heavily rely on digital platforms for property management, are particularly vulnerable. The persistence of unauthorized access could also facilitate lateral movement within organizational networks if integrated with other systems. Although no known exploits exist currently, the vulnerability's nature makes it a prime target for attackers who can intercept or steal session tokens through phishing, man-in-the-middle attacks, or malware. The impact is heightened in countries with large vacation rental markets and high digital adoption in property management.

European organizations should immediately upgrade the Summer Pearl Group Vacation Rental Management Platform to version 1.0.2 or later, where the session invalidation issue has been fixed. In addition, organizations should implement multi-factor authentication (MFA) to reduce the risk of session token theft leading to account compromise. Monitoring and alerting for unusual session activity, such as concurrent sessions from different geographic locations or devices, can help detect exploitation attempts. Session tokens should be stored securely using HttpOnly and Secure cookie flags, and session expiration times should be minimized to reduce the window of opportunity for attackers. Organizations should also educate users about the risks of session hijacking and encourage secure practices such as logging out after use and avoiding public or unsecured networks. Regular security audits and penetration testing focused on session management can help identify residual weaknesses. Finally, incident response plans should be updated to include procedures for handling session token compromises.