cbcvebase.
CVE-2025-34031
published 2025-06-24

CVE-2025-34031: A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user…

PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.96%
85.5th percentile
A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC.

Affected

2 ranges
VendorProductVersion rangeFixed in
geoffrowlandjmol<= 6.1
moodlejmol_plugin<= 6.1

Detection & IOCsextracted from sources · hover to see the quote

path/filter/jmol/js/jsmol/php/jsmol.php
url/filter/jmol/js/jsmol/php/jsmol.php?call=getRawDataFromDatabase&query=file:///etc/passwd
filenamejsmol.php
  • Look for GET requests to /filter/jmol/js/jsmol/php/jsmol.php with the parameters call=getRawDataFromDatabase and a query value using the file:// URI scheme, indicating LFI exploitation attempts.
  • Successful exploitation returns HTTP 200 with Content-Type: text/plain and body content matching the pattern root:.*:0:0: (i.e., /etc/passwd contents).
  • The vulnerability is unauthenticated (PR:N, UI:N); no session or credentials are required to exploit it. Monitor for unauthenticated access to jsmol.php.
  • Active in-the-wild exploitation was confirmed by the Shadowserver Foundation on 2025-02-02 UTC; treat any hits on this endpoint as high-priority.
  • The vulnerable code path passes the query parameter directly to file_get_contents(); look for server-side logs showing file:// or path traversal sequences (e.g., ../) in the query parameter value.
  • ·Only Moodle instances with the Jmol Filter plugin version 6.1 or prior installed are vulnerable. Instances without this plugin are not affected.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.