CVE-2025-53021

MEDIUM

4.2

Descricao

A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Detalhes CVE

Pontuacao CVSS v3.14.2

SeveridadeMEDIUM

Vetor CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Vetor de ataqueNETWORK

ComplexidadeHIGH

Privilegios necessariosNONE

Interacao do usuarioREQUIRED

Publicado6/24/2025

Ultima modificacao7/9/2025

Fontenvd

Avistamentos honeypot0

Produtos afetados

moodle:moodle

Fraquezas (CWE)

CWE-384

Referencias

https://github.com/moodle/moodle/releases/tag/v3.11.18(cve@mitre.org)

https://moodledev.io/general/releases#moodle-311(cve@mitre.org)

https://rentry.co/moodle-oauth2-cve(cve@mitre.org)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.