CVE-2025-34031
published 2025-06-24CVE-2025-34031: A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user…
PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.96%
85.5th percentile
A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geoffrowland | jmol | <= 6.1 | — |
| moodle | jmol_plugin | <= 6.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for GET requests to /filter/jmol/js/jsmol/php/jsmol.php with the parameters call=getRawDataFromDatabase and a query value using the file:// URI scheme, indicating LFI exploitation attempts. ↗
- →Successful exploitation returns HTTP 200 with Content-Type: text/plain and body content matching the pattern root:.*:0:0: (i.e., /etc/passwd contents). ↗
- →The vulnerability is unauthenticated (PR:N, UI:N); no session or credentials are required to exploit it. Monitor for unauthenticated access to jsmol.php. ↗
- →Active in-the-wild exploitation was confirmed by the Shadowserver Foundation on 2025-02-02 UTC; treat any hits on this endpoint as high-priority. ↗
- →The vulnerable code path passes the query parameter directly to file_get_contents(); look for server-side logs showing file:// or path traversal sequences (e.g., ../) in the query parameter value. ↗
- ·Only Moodle instances with the Jmol Filter plugin version 6.1 or prior installed are vulnerable. Instances without this plugin are not affected. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mf8r-552p-3grv: A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6
ghsa_unreviewed·2025-06-26
CVE-2025-34031 [HIGH] CWE-20 GHSA-mf8r-552p-3grv: A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6
A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials.
VulnCheck
geoffrowland jmol Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2025·CVSS 8.7
CVE-2025-34031 [HIGH] geoffrowland jmol Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
geoffrowland jmol Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC.
Affected: Moodle LMS Jmol Plugin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product
No detection rules found.
Nuclei
Moodle Jmol Filter 6.1 - Local File Inclusion
nuclei·CVSS 8.7
CVE-2025-34031 [HIGH] Moodle Jmol Filter 6.1 - Local File Inclusion
Moodle Jmol Filter 6.1 - Local File Inclusion
Moodle Jmol Filter 6.1 is vulnerable to local file inclusion through the jsmol.php file, allowing attackers to read arbitrary files on the server.
Template:
id: CVE-2025-34031
info:
name: Moodle Jmol Filter 6.1 - Local File Inclusion
author: madrobot
severity: high
description: |
Moodle Jmol Filter 6.1 is vulnerable to local file inclusion through the jsmol.php file, allowing attackers to read arbitrary files on the server.
impact: |
Attackers can read arbitrary files from the server through the jsmol.php endpoint, potentially exposing sensitive configuration files and credentials.
remediation: |
Upgrade Moodle Jmol Filter to a patched version or remove the vulnerable plugin if not required.
reference:
- https://www.exploit-db.com/exploits/
2025-06-24
Published
Exploited in the wild