- Description
- A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
- Source
- cve@mitre.org
- NVD status
- Analyzed
- CNA Tags
- unsupported-when-assigned
CVSS 3.1
- Type
- Secondary
- Base score
- 4.2
- Impact score
- 2.5
- Exploitability score
- 1.6
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
- Severity
- MEDIUM
- cve@mitre.org
- CWE-384
- Hype score
- Not currently trending
CVE-2025-53021 Session Fixation Vulnerability in Moodle 3.x Enables Unauthenticated Account Takeover https://t.co/0TH78LZXfY
@VulmonFeeds
24 Jun 2025
92 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-53021 A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be … https://t.co/aVZ8BBBcKX
@CVEnew
24 Jun 2025
438 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "3452833D-B192-471B-B958-44ADA0C3CCC8",
"versionEndIncluding": "3.11.18",
"versionStartIncluding": "3.0.0"
}
],
"operator": "OR"
}
]
}
]