CVE-2025-53021 (GCVE-0-2025-53021)

Vulnerability from cvelistv5 – Published: 2025-06-24 00:00 – Updated: 2025-06-24 19:46
VLAI?
Summary
A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Severity ?
4.2 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
CWE
Assigner
References
Impacted products
Vendor Product Version
Moodle Moodle Affected: 3 , ≤ 3.11.18 (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-53021",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-24T19:46:30.849426Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-24T19:46:49.641Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Moodle",
          "vendor": "Moodle",
          "versions": [
            {
              "lessThanOrEqual": "3.11.18",
              "status": "affected",
              "version": "3",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "3.11.18",
                  "versionStartIncluding": "3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim\u0027s session being linked to the attacker\u0027s. Successful exploitation results in full account takeover. According to the Moodle Releases page, \"Bug fixes for security issues in 3.11.x ended 11 December 2023.\" NOTE: This vulnerability only affects products that are no longer supported by the maintainer."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-384",
              "description": "CWE-384 Session Fixation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-24T19:22:54.821Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://rentry.co/moodle-oauth2-cve"
        },
        {
          "url": "https://github.com/moodle/moodle/releases/tag/v3.11.18"
        },
        {
          "url": "https://moodledev.io/general/releases#moodle-311"
        }
      ],
      "tags": [
        "unsupported-when-assigned"
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-53021",
    "datePublished": "2025-06-24T00:00:00.000Z",
    "dateReserved": "2025-06-24T00:00:00.000Z",
    "dateUpdated": "2025-06-24T19:46:49.641Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-53021\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2025-06-24T20:15:26.867\",\"lastModified\":\"2025-07-09T15:23:31.237\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[{\"sourceIdentifier\":\"cve@mitre.org\",\"tags\":[\"unsupported-when-assigned\"]}],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim\u0027s session being linked to the attacker\u0027s. Successful exploitation results in full account takeover. According to the Moodle Releases page, \\\"Bug fixes for security issues in 3.11.x ended 11 December 2023.\\\" NOTE: This vulnerability only affects products that are no longer supported by the maintainer.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de fijaci\u00f3n de sesi\u00f3n en Moodle 3.x a 3.11.18 permite a atacantes no autenticados secuestrar sesiones de usuario mediante el par\u00e1metro sesskey. Este par\u00e1metro se puede obtener sin autenticaci\u00f3n y reutilizar en el flujo de inicio de sesi\u00f3n de OAuth2, lo que vincula la sesi\u00f3n de la v\u00edctima a la del atacante. Una explotaci\u00f3n exitosa resulta en la apropiaci\u00f3n total de la cuenta. Seg\u00fan la p\u00e1gina de versiones de Moodle, \\\"Las correcciones de errores de seguridad en 3.11.x finalizaron el 11 de diciembre de 2023\\\". NOTA: Esta vulnerabilidad solo afecta a los productos que ya no reciben soporte del fabricante. \"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N\",\"baseScore\":4.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"cve@mitre.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-384\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndIncluding\":\"3.11.18\",\"matchCriteriaId\":\"3452833D-B192-471B-B958-44ADA0C3CCC8\"}]}]}],\"references\":[{\"url\":\"https://github.com/moodle/moodle/releases/tag/v3.11.18\",\"source\":\"cve@mitre.org\",\"tags\":[\"Product\"]},{\"url\":\"https://moodledev.io/general/releases#moodle-311\",\"source\":\"cve@mitre.org\",\"tags\":[\"Product\"]},{\"url\":\"https://rentry.co/moodle-oauth2-cve\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-53021\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-24T19:46:30.849426Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-24T19:46:38.235Z\"}}], \"cna\": {\"tags\": [\"unsupported-when-assigned\"], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 4.2, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N\"}}], \"affected\": [{\"vendor\": \"Moodle\", \"product\": \"Moodle\", \"versions\": [{\"status\": \"affected\", \"version\": \"3\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"3.11.18\"}], \"defaultStatus\": \"unknown\"}], \"references\": [{\"url\": \"https://rentry.co/moodle-oauth2-cve\"}, {\"url\": \"https://github.com/moodle/moodle/releases/tag/v3.11.18\"}, {\"url\": \"https://moodledev.io/general/releases#moodle-311\"}], \"x_generator\": {\"engine\": \"enrichogram 0.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim\u0027s session being linked to the attacker\u0027s. Successful exploitation results in full account takeover. According to the Moodle Releases page, \\\"Bug fixes for security issues in 3.11.x ended 11 December 2023.\\\" NOTE: This vulnerability only affects products that are no longer supported by the maintainer.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-384\", \"description\": \"CWE-384 Session Fixation\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"3.11.18\", \"versionStartIncluding\": \"3\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2025-06-24T19:22:54.821Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-53021\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-24T19:46:49.641Z\", \"dateReserved\": \"2025-06-24T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2025-06-24T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.