CVE-2025-34031
BaseFortify
Publication date: 2025-06-24
Last updated on: 2025-11-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| geoffrowland | jmol | to 6.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a path traversal flaw in the Moodle LMS Jmol plugin version 6.1 and earlier. It occurs because the plugin's PHP script (jsmol.php) uses the file_get_contents() function on user-supplied input without proper validation. This allows attackers to craft malicious queries that can read arbitrary files on the server's filesystem. The vulnerability can be exploited without authentication and may expose sensitive data such as configuration files and database credentials. Additionally, the plugin contains other critical issues like server-side request forgery (SSRF), remote code execution (if PHP's 'expect' wrapper is enabled), and reflected cross-site scripting (XSS). [1]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to unauthorized disclosure of sensitive server files, including configuration files and database credentials, potentially compromising the entire system. Attackers can read arbitrary files, perform SSRF attacks, and possibly achieve remote code execution under certain conditions. The vulnerability requires no authentication, making it easier for attackers to exploit. It can also enable reflected XSS attacks, which may affect users interacting with the plugin. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the vulnerable jsmol.php script with crafted query parameters that perform directory traversal. For example, sending HTTP requests to jsmol.php with parameters designed to read sensitive files like /etc/passwd can indicate vulnerability. A simple command using curl to test this could be: curl -v "http://<target>/path/to/jsmol.php?file=../../../../etc/passwd". Monitoring web server logs for such suspicious requests or unexpected file access attempts can also help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting access to the vulnerable Moodle Jmol plugin (version 6.1 and prior) until a patch or update is applied. Ensure that user input to jsmol.php is properly validated and sanitized to prevent directory traversal. If possible, update the plugin to a version where this vulnerability is fixed. Additionally, restrict PHP wrappers like 'expect' to prevent escalation to remote code execution. Monitoring and blocking suspicious requests targeting jsmol.php can also reduce risk. [1]