CVE-2025-34031

Name of the Vulnerable Software and Affected Versions: Moodle LMS Jmol plugin versions 6.1 and prior

Description: A path traversal vulnerability exists in the Moodle LMS Jmol plugin via the query parameter in jsmol.php. The script directly passes user input to the file get contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This issue can be exploited without authentication and may expose sensitive configuration data, including database credentials.

Recommendations: For Moodle LMS Jmol plugin versions 6.1 and prior, as a temporary workaround, consider disabling the file get contents() function or restricting access to the jsmol.php file until a patch is available. Avoid using the query parameter in the jsmol.php file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.