Moodle is vulnerable to session hijacking attacks. The attack is possible because the application permits the use of empty session IDs, allowing association of an empty ID with more than one instance. This can allow a malicious user to take over another user’s session.