Primary

Context

Moodle Session Fixation Vulnerability Allowing Account Takeover

Vulnerability

A session fixation vulnerability has been identified in Moodle versions 3.x through 3.11.18. This vulnerability allows unauthenticated attackers to hijack user sessions by exploiting the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, linking the victim's session to the attacker's. Successful exploitation leads to full account takeover.

Impact

Exploitation of this vulnerability allows for session hijacking and unauthorized access to user accounts via the OAuth2 authentication flow.

Reproduction

To reproduce this vulnerability, an attacker can first send a request to the login page to obtain a session cookie. The extracted sesskey can then be used in an OAuth2 login request, which, if completed by a victim, will result in the attacker's session being linked to the victim's account.

Added: Jun 24, 2025, 8:25 PM

Updated: Jun 24, 2025, 8:25 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

5.0

exploitability

7.7

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

5.0

exploitability

7.7

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Moodle Session Fixation Vulnerability Allowing Account Takeover

Vulnerability

Impact

Reproduction

Affected Products

Moodle

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating