GHSA-cgvv-3455-824j

Source

https://github.com/advisories/GHSA-cgvv-3455-824j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-cgvv-3455-824j/GHSA-cgvv-3455-824j.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-cgvv-3455-824j

Aliases

CVE-2025-53021

Published

2025-06-24T21:30:29Z

Modified

2025-06-26T14:42:17.324017Z

Severity

4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Moodle Session Fixation allows unauthenticated users to hijack sessions via sesskey parameter

Details

A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Database specific

{
    "nvd_published_at": "2025-06-24T20:15:26Z",
    "cwe_ids": [
        "CWE-384"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-26T14:12:34Z",
    "severity": "MODERATE"
}

References

Affected packages

Packagist / moodle/moodle

Package

Name: moodle/moodle
Purl: pkg:composer/moodle/moodle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

4.0.0

Affected versions

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

v3.0.9

v3.0.10

v3.1.0-beta

v3.1.0-rc1

v3.1.0-rc2

v3.1.0

v3.1.1

v3.1.2

v3.1.3

v3.1.4

v3.1.5

v3.1.6

v3.1.7

v3.1.8

v3.1.9

v3.1.10

v3.1.11

v3.1.12

v3.1.13

v3.1.14

v3.1.15

v3.1.16

v3.1.17

v3.1.18

v3.2.0-beta

v3.2.0-rc1

v3.2.0-rc2

v3.2.0-rc3

v3.2.0-rc4

v3.2.0-rc5

v3.2.0

v3.2.1

v3.2.2

v3.2.3

v3.2.4

v3.2.5

v3.2.6

v3.2.7

v3.2.8

v3.2.9

v3.3.0-beta

v3.3.0-rc1

v3.3.0-rc2

v3.3.0-rc3

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.3.8

v3.3.9

v3.4.0-beta

v3.4.0-rc1

v3.4.0-rc2

v3.4.0-rc3

v3.4.0

v3.4.1

v3.4.2

v3.4.3

v3.4.4

v3.4.5

v3.4.6

v3.4.7

v3.4.8

v3.4.9

v3.5.0-beta

v3.5.0-rc1

v3.5.0

v3.5.1

v3.5.2

v3.5.3

v3.5.4

v3.5.5

v3.5.6

v3.5.7

v3.5.8

v3.5.9

v3.5.10

v3.5.11

v3.5.12

v3.5.13

v3.5.14

v3.5.15

v3.5.16

v3.5.17

v3.5.18

v3.6.0-beta

v3.6.0-rc1

v3.6.0-rc2

v3.6.0-rc3

v3.6.0

v3.6.1

v3.6.2

v3.6.3

v3.6.4

v3.6.5

v3.6.6

v3.6.7

v3.6.8

v3.6.9

v3.6.10

v3.7.0-beta

v3.7.0-rc1

v3.7.0-rc2

v3.7.0

v3.7.1

v3.7.2

v3.7.3

v3.7.4

v3.7.5

v3.7.6

v3.7.7

v3.7.8

v3.7.9

v3.8.0-beta

v3.8.0-rc1

v3.8.0

v3.8.1

v3.8.2

v3.8.3

v3.8.4

v3.8.5

v3.8.6

v3.8.7

v3.8.8

v3.8.9

v3.9.0-beta

v3.9.0-rc1

v3.9.0-rc2

v3.9.0-rc3

v3.9.0

v3.9.1

v3.9.2

v3.9.3

v3.9.4

v3.9.5

v3.9.6

v3.9.7

v3.9.8

v3.9.9

v3.9.10

v3.9.11

v3.9.12

v3.9.13

v3.9.14

v3.9.15

v3.9.16

v3.9.17

v3.9.18

v3.9.19

v3.9.20

v3.9.21

v3.9.22

v3.9.23

v3.9.24

v3.9.25

v3.10.0-beta

v3.10.0-rc1

v3.10.0-rc2

v3.10.0

v3.10.1

v3.10.2

v3.10.3

v3.10.4

v3.10.5

v3.10.6

v3.10.7

v3.10.8

v3.10.9

v3.10.10

v3.10.11

v3.11.0-beta

v3.11.0-rc1

v3.11.0-rc2

v3.11.0

v3.11.1

v3.11.2

v3.11.3

v3.11.4

v3.11.5

v3.11.6

v3.11.7

v3.11.8

v3.11.9

v3.11.10

v3.11.11

v3.11.12

v3.11.13

v3.11.14

v3.11.15

v3.11.16

v3.11.17

v3.11.18

v4.*

v4.0.0-beta

v4.0.0-rc1

v4.0.0-rc2

v4.0.0-rc3

v4.0.0-rc4

Database specific

{
    "last_known_affected_version_range": "<= 3.11.18"
}