Description
A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC.
Published: 2025-06-24
Score: 8.7 High
EPSS: 18.3% Moderate
KEV: No
Impact: Read arbitrary files, exposing sensitive configuration and credentials
Action: Patch Immediately
AI Analysis

Impact

A recent vulnerability in Moodle’s Jmol plugin allows attackers to traverse the filesystem and read any file on the server. The flaw resides in the jsmol.php script, which accepts a query parameter and passes it directly to file_get_contents() without sanitization. An attacker can supply a crafted value that causes the server to read arbitrary files, including configuration files that store database credentials. The issue can be triggered without authentication, and Shadowserver confirmed exploitation in February 2025.

Affected Systems

Any Moodle installation that has Jmol plugin version 6.1 or older is affected. This includes all deployments that have not upgraded the plugin beyond the stated version. The problem is limited to the Jmol plugin module and does not involve other Moodle components.

Risk and Exploitability

The vulnerability has a CVSS score of 8.7, indicating high severity, and an EPSS of 18%, suggesting a substantive likelihood of exploitation in the near term. It is not listed in CISA’s KEV catalog, but the recent proof‑of‑concept activity and the high EPSS indicate that it may be actively targeted. Attackers can exploit this flaw remotely via HTTP requests, bypassing authentication, and read sensitive files directly from the file system.

Generated by OpenCVE AI on April 28, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Moodle Jmol plugin version that fixes the path traversal flaw.
  • If an upgrade cannot be performed immediately, place the Moodle directory and the jsmol.php endpoint behind a firewall or web application firewall rule that blocks requests containing ".." or multiple slashes, and restrict file system access permissions.
  • Configure the Moodle environment to validate and sanitize the query parameter before it is passed to file_get_contents(), ensuring only allowed paths are accessed.
  • Monitor web logs for unexpected file read attempts and alert on suspicious activity.

Generated by OpenCVE AI on April 28, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18971 A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials.
History

Thu, 20 Nov 2025 21:30:00 +0000

Type Values Removed Values Added
Description A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2025-10-07 UTC. A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC.

Wed, 19 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-200

Wed, 19 Nov 2025 21:45:00 +0000

Type Values Removed Values Added
Description A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials. A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2025-10-07 UTC.

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.05247}

 epss

{'score': 0.02358}

Wed, 09 Jul 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Geoffrowland
Geoffrowland jmol
CPEs cpe:2.3:a:geoffrowland:jmol:*:*:*:*:*:moodle:*:*
Vendors & Products Geoffrowland
Geoffrowland jmol
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 25 Jun 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Jun 2025 04:45:00 +0000

Type Values Removed Values Added
References

Tue, 24 Jun 2025 02:30:00 +0000

Type Values Removed Values Added
References

Tue, 24 Jun 2025 01:15:00 +0000

Type Values Removed Values Added
Description A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials.
Title Moodle LMS Jmol Plugin Path Traversal
Weaknesses CWE-20
CWE-200
CWE-22
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Geoffrowland Jmol
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:07.116Z

Reserved: 2025-04-15T19:15:22.546Z

Link: CVE-2025-34031

cve-icon Vulnrichment

Updated: 2025-06-25T12:38:10.995Z

cve-icon NVD

Status : Modified

Published: 2025-06-24T01:15:23.340

Modified: 2025-11-20T22:15:55.557

Link: CVE-2025-34031

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T01:30:17Z

Weaknesses