216.73.217.98

CVE-2025-53021

· Published 24/06/2025 20:15 · Modified 24/06/2025 20:15

Labels: CVE-2025-53021 2025-06-24CVE-2025-53021CWE-384[email protected]

Essential information

Published
24/06/2025 20:15
Modified
24/06/2025 20:15
Author
Creator
CVSS
4.2 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS metrics

Description

A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
moodle / moodle cpe:2.3:a:moodle:moodle:3.0-3.11.18:*:*:*:*:*:*:*

References