CVE-2025-53021
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-24

Last updated on: 2025-07-09

Assigner: MITRE

Description
A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-24
Last Modified
2025-07-09
Generated
2026-05-06
AI Q&A
2025-06-24
EPSS Evaluated
2026-05-05
NVD
CVE-2025-53021
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
moodle moodle From 3.0.0 (inc) to 3.11.18 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-53021 is a session fixation vulnerability in Moodle versions 3.x through 3.11.18. An unauthenticated attacker can obtain a sesskey parameter from the login page without authentication and use it to craft a malicious OAuth2 login URL. When a victim uses this URL, their session becomes linked to the attacker's session, allowing the attacker to hijack the victim's account and achieve full account takeover. [1]


How can this vulnerability impact me? :

This vulnerability can lead to full account takeover by an attacker. By exploiting the sesskey parameter in the OAuth2 login flow, an attacker can hijack a victim's session and gain unauthorized access to their Moodle account, potentially compromising sensitive information and user data. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking for the presence and reuse of the sesskey parameter in OAuth2 login URLs. One approach is to use curl commands to access the Moodle login page, capture cookies, and extract the sesskey value. For example, use curl to fetch the login page and save cookies, then inspect the sesskey parameter in the URL or page content. A proof of concept involves commands like: curl -c cookies.txt https://<moodle-instance>/login/index.php to save cookies and extract sesskey, then observe if OAuth2 login URLs contain the sesskey parameter being reused. Monitoring network traffic for OAuth2 login requests containing sesskey parameters can also help detect exploitation attempts. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include disabling or restricting OAuth2 login flows that accept the sesskey parameter, avoiding the use of unsupported Moodle versions (3.x through 3.11.18) as these are no longer maintained, and applying any available patches or upgrading to a supported Moodle version that does not have this vulnerability. Additionally, monitoring and blocking suspicious OAuth2 login URLs containing sesskey parameters can help reduce risk until an upgrade or patch is applied. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart