CVE-2014-3552 Information

Description

The Shibboleth authentication plugin in auth/shibboleth/index.php in Moodle through 2.3.11 2.4.x before 2.4.11 and 2.5.x before 2.5.7 does not check whether a session ID is empty which allows remote authenticated users to hijack sessions via crafted plugin interaction.

Reference

http://git.moodle.org/gw?p=moodle.git&a=search&h=refs2Fheads2FMOODLE_25_STABLE&st=commit&s=MDL-45485 http://openwall.com/lists/oss-security/2014/07/21/1 https://moodle.org/mod/forum/discuss.php?d=264261