Session Hijacking Vulnerability in Shibboleth Authentication Plugin in Moodle

Session Hijacking Vulnerability in Shibboleth Authentication Plugin in Moodle

CVE-2014-3552 · MEDIUM Severity

AV:N/AC:M/AU:S/C:P/I:P/A:P

The Shibboleth authentication plugin in auth/shibboleth/index.php in Moodle through 2.3.11, 2.4.x before 2.4.11, and 2.5.x before 2.5.7 does not check whether a session ID is empty, which allows remote authenticated users to hijack sessions via crafted plugin interaction.

Learn more about our User Device Pen Test.