← Volver a CVEs
CVE-2025-53021
MEDIUM4.2
Descripcion
A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Detalles CVE
Puntuacion CVSS v3.14.2
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Vector de ataqueNETWORK
ComplejidadHIGH
Privilegios requeridosNONE
Interaccion usuarioREQUIRED
Publicado6/24/2025
Ultima modificacion7/9/2025
Fuentenvd
Avistamientos honeypot0
Productos afectados
moodle:moodle
Debilidades (CWE)
CWE-384
Referencias
https://github.com/moodle/moodle/releases/tag/v3.11.18(cve@mitre.org)
https://moodledev.io/general/releases#moodle-311(cve@mitre.org)
https://rentry.co/moodle-oauth2-cve(cve@mitre.org)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.