← Back to CVEs
CVE-2025-53021
MEDIUM4.2
Description
A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE Details
CVSS v3.1 Score4.2
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack VectorNETWORK
ComplexityHIGH
Privileges RequiredNONE
User InteractionREQUIRED
Published6/24/2025
Last Modified7/9/2025
Sourcenvd
Honeypot Sightings0
Affected Products
moodle:moodle
Weaknesses (CWE)
CWE-384
References
https://github.com/moodle/moodle/releases/tag/v3.11.18(cve@mitre.org)
https://moodledev.io/general/releases#moodle-311(cve@mitre.org)
https://rentry.co/moodle-oauth2-cve(cve@mitre.org)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.