← Zuruck zu CVEs
CVE-2025-53021
MEDIUM4.2
Beschreibung
A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE Details
CVSS v3.1 Bewertung4.2
SchweregradMEDIUM
CVSS VektorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
AngriffsvektorNETWORK
KomplexitatHIGH
Erforderliche PrivilegienNONE
BenutzerinteraktionREQUIRED
Veroffentlicht6/24/2025
Zuletzt geandert7/9/2025
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
moodle:moodle
Schwachen (CWE)
CWE-384
Referenzen
https://github.com/moodle/moodle/releases/tag/v3.11.18(cve@mitre.org)
https://moodledev.io/general/releases#moodle-311(cve@mitre.org)
https://rentry.co/moodle-oauth2-cve(cve@mitre.org)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.