Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-53021

A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Published

2025-06-24T20:15:26.867

Last Modified

2025-07-09T15:23:31.237

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 4.2 (MEDIUM)

Weaknesses

Type: Primary
CWE-384

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	moodle	moodle	≤ 3.11.18	Yes

References

https://github.com/moodle/moodle/releases/tag/v3.11.18 Product ([email protected])
https://moodledev.io/general/releases#moodle-311 Product ([email protected])
https://rentry.co/moodle-oauth2-cve Third Party Advisory ([email protected])