vulnerability

Moodle: Session Fixation (CVE-2025-53021)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:H/Au:N/C:P/I:P/A:N)	Jun 24, 2025	Jul 11, 2025	Feb 15, 2026

Severity

CVSS

(AV:N/AC:H/Au:N/C:P/I:P/A:N)

Published

Jun 24, 2025

Added

Jul 11, 2025

Modified

Feb 15, 2026

Description

A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Solution

moodle-upgrade-latest

References

CVE-2025-53021
https://attackerkb.com/topics/CVE-2025-53021
CWE-384
URL-https://github.com/moodle/moodle/releases/tag/v3.11.18
URL-https://moodledev.io/general/releases#moodle-311
URL-https://rentry.co/moodle-oauth2-cve

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today