Session Fixation Vulnerability in Moodle by Moodle Pty Ltd
CVE-2025-53021

4.2MEDIUM

Key Information:

Vendor: Moodle
Status: Moodle
Vendor: CVE Published:; 24 June 2025

What is CVE-2025-53021?

A session fixation vulnerability exists in Moodle versions 3.x through 3.11.18, enabling unauthenticated attackers to hijack user sessions via the 'sesskey' parameter. Attackers can obtain the 'sesskey' without authentication and exploit it during the OAuth2 login flow to link the victim's session to their own. This could lead to unauthorized access, allowing attackers complete control over user accounts. It's important to note that this vulnerability affects only those products that are no longer supported by the maintainer.

Affected Version(s)

Moodle 3 <= 3.11.18

References

https://rentry.co/moodle-oauth2-cve

https://github.com/moodle/moodle/releases/tag/v3.11.18

https://moodledev.io/general/releases#moodle-311

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2025
Vulnerability Reserved
Jun 24, 2025