CVE-2025-53021

EPSS 0.13%
Published 24.06.2025 00:00:00
Last modified 09.07.2025 15:23:31
Source cve@mitre.org
Teams watchlist Login
Open Login

A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Affected products Warnungen 0 Metrics 2 CWE 1 References 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Moodle ≫ Moodle Version >= 3.0.0 <= 3.11.18

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.13%	0.334

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
cve@mitre.org	4.2	1.6	2.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

https://rentry.co/moodle-oauth2-cve

Third Party Advisory

https://github.com/moodle/moodle/releases/tag/v3.11.18

Product

https://moodledev.io/general/releases#moodle-311

Product

https://nvd.nist.gov/vuln/detail/CVE-2025-53021

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-53021

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-53021

EUVD