CVE-2025-53021

Name of the Vulnerable Software and Affected Versions: Moodle versions 3.x through 3.11.18

Description: A session fixation issue allows unauthenticated attackers to hijack user sessions via the sesskey parameter. This parameter can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's, leading to full account takeover.

Recommendations: For Moodle versions 3.x through 3.11.18, as these versions are no longer supported by the maintainer, consider upgrading to a supported version to mitigate the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.