Moodle 1.8.x and 1.9.x before 1.9.8 does not enable the "Regenerate session id during login" setting by default, which makes it easier for remote attackers to conduct session fixation attacks.
2010-04-29T21:30:00.620
2025-04-11T00:51:21.963
Deferred
CVSSv2: 6.8 (MEDIUM)
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.6
6.4
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | moodle | moodle | 1.8.1 | Yes |
| Application | moodle | moodle | 1.8.2 | Yes |
| Application | moodle | moodle | 1.8.3 | Yes |
| Application | moodle | moodle | 1.8.4 | Yes |
| Application | moodle | moodle | 1.8.5 | Yes |
| Application | moodle | moodle | 1.8.6 | Yes |
| Application | moodle | moodle | 1.8.7 | Yes |
| Application | moodle | moodle | 1.8.8 | Yes |
| Application | moodle | moodle | 1.8.9 | Yes |
| Application | moodle | moodle | 1.8.10 | Yes |
| Application | moodle | moodle | 1.8.11 | Yes |
| Application | moodle | moodle | 1.9.1 | Yes |
| Application | moodle | moodle | 1.9.2 | Yes |
| Application | moodle | moodle | 1.9.3 | Yes |
| Application | moodle | moodle | 1.9.4 | Yes |
| Application | moodle | moodle | 1.9.5 | Yes |
| Application | moodle | moodle | 1.9.6 | Yes |
| Application | moodle | moodle | 1.9.7 | Yes |