CVE-2025-53021

EPSS 0.13%
Veröffentlicht 24.06.2025 00:00:00
Zuletzt bearbeitet 09.07.2025 15:23:31
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Moodle ≫ Moodle Version >= 3.0.0 <= 3.11.18

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.13%	0.334

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cve@mitre.org	4.2	1.6	2.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

https://rentry.co/moodle-oauth2-cve

Third Party Advisory

https://github.com/moodle/moodle/releases/tag/v3.11.18

Product

https://moodledev.io/general/releases#moodle-311

Product

https://nvd.nist.gov/vuln/detail/CVE-2025-53021

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-53021

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-53021

EUVD