Search for vulnerabilities
Vulnerability details: VCID-t2ex-yk55-gub7
Vulnerability ID VCID-t2ex-yk55-gub7
Aliases CVE-2025-53021
GHSA-cgvv-3455-824j
Summary Moodle Session Fixation allows unauthenticated users to hijack sessions via sesskey parameter A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-384 Session Fixation
System Score Found at
epss 0.00069 https://api.first.org/data/v1/epss?cve=CVE-2025-53021
epss 0.00069 https://api.first.org/data/v1/epss?cve=CVE-2025-53021
cvssv3.1 4.2 https://github.com/moodle/moodle
generic_textual MODERATE https://github.com/moodle/moodle
cvssv3.1 4.2 https://github.com/moodle/moodle/releases/tag/v3.11.18
generic_textual MODERATE https://github.com/moodle/moodle/releases/tag/v3.11.18
ssvc Track https://github.com/moodle/moodle/releases/tag/v3.11.18
cvssv3.1 4.2 https://moodledev.io/general/releases#moodle-311
generic_textual MODERATE https://moodledev.io/general/releases#moodle-311
ssvc Track https://moodledev.io/general/releases#moodle-311
cvssv3.1 4.2 https://nvd.nist.gov/vuln/detail/CVE-2025-53021
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-53021
cvssv3.1 4.2 https://rentry.co/moodle-oauth2-cve
generic_textual MODERATE https://rentry.co/moodle-oauth2-cve
ssvc Track https://rentry.co/moodle-oauth2-cve
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-53021
https://github.com/moodle/moodle
https://github.com/moodle/moodle/releases/tag/v3.11.18
https://moodledev.io/general/releases#moodle-311
https://nvd.nist.gov/vuln/detail/CVE-2025-53021
https://rentry.co/moodle-oauth2-cve
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/moodle/moodle
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/moodle/moodle/releases/tag/v3.11.18
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-24T19:46:30Z/ Found at https://github.com/moodle/moodle/releases/tag/v3.11.18
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://moodledev.io/general/releases#moodle-311
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-24T19:46:30Z/ Found at https://moodledev.io/general/releases#moodle-311
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-53021
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://rentry.co/moodle-oauth2-cve
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-24T19:46:30Z/ Found at https://rentry.co/moodle-oauth2-cve
Exploit Prediction Scoring System (EPSS)
Percentile 0.21728
EPSS Score 0.00069
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:12:58.505324+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-cgvv-3455-824j/GHSA-cgvv-3455-824j.json 36.1.3