CVE-2025-34032
BaseFortify
Publication date: 2025-06-24
Last updated on: 2025-11-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| geoffrowland | jmol | to 6.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a reflected cross-site scripting (XSS) issue in the Moodle LMS Jmol plugin (version 6.1 and prior). It occurs because the plugin fails to properly sanitize user input in the data parameter of jsmol.php, allowing attackers to inject and execute arbitrary JavaScript in a victim's browser by crafting malicious links. This can lead to session hijacking or manipulation of page content. Additionally, the plugin has other critical vulnerabilities such as directory traversal, server-side request forgery (SSRF), and the ability to distribute malware via Base64-encoded files. These vulnerabilities do not require authentication and remain exploitable even if the plugin is disabled but not uninstalled. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript in users' browsers, potentially hijacking user sessions or altering page content. The plugin's other vulnerabilities can let attackers read sensitive server files (like database credentials), perform SSRF attacks, and distribute malware to users. Since no authentication is required, attackers can exploit these issues remotely, posing significant security risks including data theft, unauthorized access, and malware infection. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve checking for the presence of the vulnerable Jmol plugin files on the Moodle server, especially the jsmol.php script. You can look for HTTP requests to jsmol.php with suspicious or crafted 'data' parameters that might trigger reflected XSS. For example, using curl or wget to send test requests with JavaScript payloads in the 'data' parameter and observing if the response reflects the payload unsanitized. Example command: curl -i 'http://your-moodle-site/filter/jmol/jsmol.php?data=<script>alert(1)</script>' and check if the script tag is reflected in the response. Additionally, scanning the server filesystem for the plugin directory (e.g., /var/www/moodle/filter/jmol) can confirm if the vulnerable plugin is installed. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to completely uninstall the Moodle Jmol plugin and remove its directory from the server filesystem (e.g., /var/www/moodle/filter/jmol). Disabling the plugin via Moodle's interface is insufficient because the vulnerable PHP scripts remain accessible and exploitable. Removing the plugin directory ensures that the vulnerable scripts are no longer accessible. Additionally, ensure that PHP wrappers like 'expect' are disabled to prevent escalation to remote code execution. Monitoring and applying upstream security fixes from the original JSmol project is also recommended for long-term security. [1]