← Retour aux CVEs
CVE-2025-53021
MEDIUM4.2
Description
A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Details CVE
Score CVSS v3.14.2
SeveriteMEDIUM
Vecteur CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Vecteur d'attaqueNETWORK
ComplexiteHIGH
Privileges requisNONE
Interaction utilisateurREQUIRED
Publie6/24/2025
Derniere modification7/9/2025
Sourcenvd
Observations honeypot0
Produits affectes
moodle:moodle
Faiblesses (CWE)
CWE-384
References
https://github.com/moodle/moodle/releases/tag/v3.11.18(cve@mitre.org)
https://moodledev.io/general/releases#moodle-311(cve@mitre.org)
https://rentry.co/moodle-oauth2-cve(cve@mitre.org)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.